From deedf6957d14c2808c00a009ac2c1d4528cb80c9 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Sat, 1 Sep 2012 20:26:27 +0100
Subject: REST framework 2 docs

---
 docs/topics/csrf.md            | 12 ++++++++++++
 docs/topics/formoverloading.md | 43 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 docs/topics/csrf.md
 create mode 100644 docs/topics/formoverloading.md

(limited to 'docs/topics')

diff --git a/docs/topics/csrf.md b/docs/topics/csrf.md
new file mode 100644
index 00000000..a2ee1b9c
--- /dev/null
+++ b/docs/topics/csrf.md
@@ -0,0 +1,12 @@
+# Working with AJAX and CSRF
+
+> "Take a close look at possible CSRF / XSRF vulnerabilities on your own websites. They're the worst kind of vulnerability -- very easy to exploit by attackers, yet not so intuitively easy to understand for software developers, at least until you've been bitten by one."
+>
+>  — [Jeff Atwood][cite]
+
+* Explain need to add CSRF token to AJAX requests.
+* Explain defered CSRF style used by REST framework
+* Why you should use Django's standard login/logout views, and not REST framework view
+
+
+[cite]: http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html
\ No newline at end of file
diff --git a/docs/topics/formoverloading.md b/docs/topics/formoverloading.md
new file mode 100644
index 00000000..a1828c3b
--- /dev/null
+++ b/docs/topics/formoverloading.md
@@ -0,0 +1,43 @@
+# Browser based PUT & DELETE
+
+> "There are two noncontroversial uses for overloaded POST.  The first is to *simulate* HTTP's uniform interface for clients like web browsers that don't support PUT or DELETE"
+>
+> — [RESTful Web Services](1), Leonard Richardson & Sam Ruby.
+
+## Overloading the HTTP method
+
+**TODO: Preamble.**  Note that this is the same strategy as is used in [Ruby on Rails](2).
+
+For example, given the following form:
+
+    <form action="/news-items/5" method="POST">
+	    <input type="hidden" name="_method" value="DELETE">
+	</form>
+
+`request.method` would return `"DELETE"`.
+
+## Overloading the HTTP content type
+
+Browser-based submission of content types other than form are supported by using form fields named `_content` and `_content_type`:
+
+For example, given the following form:
+
+    <form action="/news-items/5" method="PUT">
+	    <input type="hidden" name="_content_type" value="application/json">
+		<input name="_content" value="{'count': 1}">
+	</form>
+
+`request.content_type` would return `"application/json"`, and `request.content` would return `"{'count': 1}"`
+
+## Why not just use Javascript? 
+
+**[TODO]**
+
+## Doesn't HTML5 support PUT and DELETE forms?
+
+Nope.  It was at one point intended to support `PUT` and `DELETE` forms, but was later [dropped from the spec](3).  There remains [ongoing discussion](4) about adding support for `PUT` and `DELETE`, as well as how to support content-types other than form-encoded data.
+
+[1]: http://www.amazon.com/Restful-Web-Services-Leonard-Richardson/dp/0596529260
+[2]: http://guides.rubyonrails.org/form_helpers.html#how-do-forms-with-put-or-delete-methods-work
+[3]: http://www.w3.org/TR/html5-diff/#changes-2010-06-24
+[4]: http://amundsen.com/examples/put-delete-forms/
-- 
cgit v1.2.3