The documentation here suggests that it will work:
|
Datasette uses `asgi-csrf <https://github.com/simonw/asgi-csrf>`__ to guard against CSRF attacks on form POST submissions. Users receive a ``ds_csrftoken`` cookie which is compared against the ``csrftoken`` form field (or ``x-csrftoken`` HTTP header) for every incoming request. |
|
|
|
If your plugin implements a ``<form method="POST">`` anywhere you will need to include that token. You can do so with the following template snippet: |
|
|
|
.. code-block:: html |
|
|
|
<input type="hidden" name="csrftoken" value="{{ csrftoken() }}"> |
But right now the csrftoken variable is set in BaseView.render, which means it's not visible to plugins that try to render templates using datasette.render_template:
|
async def render(self, templates, request, context=None): |
|
context = context or {} |
|
template = self.ds.jinja_env.select_template(templates) |
|
template_context = { |
|
**context, |
|
**{ |
|
"database_url": self.database_url, |
|
"csrftoken": request.scope["csrftoken"], |