fix: csrf error. Django no need csrf check on pywebio view

pywebio/platform/django.py

@@ -89,6 +89,8 @@ def webio_view(target,
                           session_cleanup_interval=session_cleanup_interval,
                           allowed_origins=allowed_origins, check_origin=check_origin)
 
+    from django.views.decorators.csrf import csrf_exempt
+    @csrf_exempt
     def view_func(request):
         context = DjangoHttpContext(request)
         return handler.handle_request(context)

pywebio/platform/httpbased.py

@@ -139,8 +139,11 @@ class HttpHandler:
         webio_session_id = None
 
         # webio-session-id 的请求头为空时，创建新 Session
-        if 'webio-session-id' not in request_headers or not request_headers[
-            'webio-session-id']:  # start new WebIOSession
+        if 'webio-session-id' not in request_headers or not request_headers['webio-session-id']:
+            if context.request_method() == 'POST':  # 不能在POST请求中创建Session，防止CSRF攻击
+                context.set_status(403)
+                return context.get_response()
+
             webio_session_id = random_str(24)
             context.set_header('webio-session-id', webio_session_id)
             webio_session = self.session_cls(self.target)
@@ -172,7 +175,7 @@ class HttpHandler:
 
         return context.get_response()
 
-    def __init__(self, target,session_cls,
+    def __init__(self, target, session_cls,
                  session_expire_seconds=None,
                  session_cleanup_interval=None,
                  allowed_origins=None, check_origin=None):