I like Luke's arguments.
A middleware seems like the right place because CSRF protection is
about requests and responses. CSRF protection is more about POST
requests in generic, with HTML forms being a very common type of POST
request.
IMHO the default settings.py file (generated with 'django-admin.py
startproject') should have the middleware enabled by default.
And wouldn't it be possible to enhance the current CSRFMiddleware to
be more flexible, like also work without Django's session middleware?
And add a template tag that inserts the token, for example to be used
in AJAX or forms generated by javascript:
<script type="text/javascript">
var token = '{% csrf_token %}';
</script>
Cheers,
Rudolph
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
