How to add a field to POST values in CKeditor upload

Question

I use django and ckeditor to provide wysiwyg taste to TextEdits. I would like to use CKEditor file upload function (in filebrowser / image dialog), but the

Answer 1

Providing you are sending a CSFR token in the URL across HTTPS it should be ok to do that (from a security pint of view) and also a lot easier to deal with.

That assumes django can read that variable or you are able to easily mod django. These answers trying to alter CKeditor seem a bit too much work imo.

As long as your CSFR_token is being sent by the users browser in a secure way to the server it doesn't matter if it is via POST or GET. The security concern at play is a man in the middle attack, i.e you don't want a users CSFR_token being broadcast in plain text.

Strictly speaking this kind of data should be sent as POST according to the HTTP spec but this seems like a situation where 'misusing' the GET protocol might be acceptable as you don't have control of the CKEditor code in a particularly elegant way.

Also you could get caught out if CKEditor changes things in an upgrade, passing the token via the URL will always work.