Sometimes, csrf magic interferes with my json request.

[rhedin]

About half the time I find "junk" in my request payload. Naturally, the site I am communicating with complains. {"message": "Unsupported JSON format : Could not create a JSON event when trying to serialize"}

__csrf_magic=sid:1abf8...,1485208109&{"sessionId": "johnsSession", ... "productId": "berli18"}

The other half of the time, the payload is not affected. I get a 200 back.

{"sessionId": "johnsSession", ... "productId": "berli18"}

Is there some technique to leave particular requests out of the special magic? I think you add something to XMLHttpRequest's prototype. Perhaps I should new the original object. Is that available somewhere?

[ezyang]

The original function is always saved as csrf_functionname; look in csrf-magic.js to see how its done. Maybe we should just split the JS file into two and make the overloading optional...

[netniV]

I believe this was resolved by modifying the send and process functions to properly identify when objects were being used and thus inject the magic token as an element of the object rather than as a prefix string (which is incorrect).