Don't set CSRF cookie on first visit. Signup is exempt from CSRF protection.

CHANGELOG.md

@@ -8,6 +8,9 @@ All notable changes to this project will be documented in this file.
 - Show Healthchecks version in Django admin header (#306)
 - Added JSON endpoint for Shields.io (#304)
 
+### Bug Fixes
+- Don't set CSRF cookie on first visit. Signup is exempt from CSRF protection.
+
 
 ## v1.11.0 - 2019-11-22
 

hc/accounts/views.py

@@ -144,6 +144,7 @@ def logout(request):
 
 
 @require_POST
+@csrf_exempt
 def signup(request):
     if not settings.REGISTRATION_OPEN:
         return HttpResponseForbidden()

static/js/signup.js

@@ -3,13 +3,11 @@ $(function () {
     function submitForm() {
         var base = document.getElementById("base-url").getAttribute("href").slice(0, -1);
         var email = $("#signup-email").val();
-        var token = $('input[name=csrfmiddlewaretoken]').val();
 
         $("#signup-go").prop("disabled", true);
         $.ajax({
             url: base + "/accounts/signup/",
             type: "post",
-            headers: {"X-CSRFToken": token},
             data: {"identity": email},
             success: function(data) {
                 $("#signup-result").html(data).show();

templates/front/signup_modal.html

@@ -20,8 +20,6 @@
                     We will email you a magic sign in link.
                 </p>
 
-
-                {% csrf_token %}
                 <button id="signup-go" class="btn btn-lg btn-primary btn-block">
                     Email Me a Link
                 </button>