I'd like to discuss if forms should try to be secure by default? It's a bit like the autoescaping discussion.
The new Form class would need to accept dictionaries or request objects as input. A dictionary is however only accepted if you explicitly disable CSRF protection: form = MyForm(request.POST, csrf_protection=False) We can keep it backwards compatible by introducing a setting which defaults to: CSRF_PROTECTION = False and putting CSRF_PROTECTION = True in the default settings.py file of new projects. Also encourage the use in the documentation. In Django 2.0 we set this to True. People would then need to explicitly turn off CSRF protection globally or on a per form basis. Thanks, Rudolph --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
