Plone.protect and AJAX POST requests

I have some custom JS code that needs to perform AJAX POST requests.
Plone raises "Forbidden: Form authenticator is invalid." with plone.protect installed.

What is the correct way to get hold of the authenticator value and how to inject it into the POST request?

describes how to inject the authenticator into a form but there is no API documentation about how to get hold of the authenticator without the input field stuff.

Assuming that I can inject the authenticator value into the JS namespace: would I just add its value to the 'data' array?

                    type: 'POST',
                    url: url,
                    data: {
                        subpath: SUBPATH,
                        old_id: title,
                        new_id: new_id
                    success: function(msg) {
                        alert('success' + msg);
                    error: function(msg) {
                        alert('error' + msg);



Have a look at which does this:

xhr.setRequestHeader("X-CSRF-TOKEN", token);

The protect.js script is injected dynamically by the transform from plone4.csrffixes, which also sets the token:

Is this on Plone 4.3.9? If you have updated the plone.protect pin to 3.x and you see the above errors, then it should help to add plone4.csrffixes after all. I have now changed the hotfix page at to mention this. We may want to see if we can integrate this better in core Plone so plone4.csrffixes is really no longer needed.

1 Like

Maybe we can add the protect.js script in plone.protect 3.x when used in Plone 4. I have opened an issue:


Thanks, clearly explained as always.