Django, CSRF protection and js generated form

Question

I have to create a form dynamically via javascript (yeah, that sounds ugly, but read this for the reason) and wants to make its submission CSRF proof. Usually, I use the @csrf_protect decorator in my views, and the {% csrf_token %} tag in my templates, as recommanded in the doc. But what should I do with a client-side generated form ? If I add a '/get_token/' view to generate a token on the server and obtain its value (say, via JSONP), then that means that I'm creating a backdoor an attacker could use to bypass the protection. Kinda head-scratching.

What would you recommand ?

Answer 1

I couldn't solve my problem but I've found a workaround. Since my form is generated by a bookmarklet, I've added in the address of this latter a uid variable corresponding to the current authenticated user unique id. When the form is submitted, all I have to do is to check if it matches with the uid stored in the database. If I generate a different bookmarklet address for each user, I don't see any CSRF issue.