On Wed, Mar 18, 2009 at 8:40 AM, Luke Plant <[email protected]> wrote: > I propose adding the two [CSRF] middleware (view and response) to the > MIDDLEWARE > settings [...]
I'm a somewhat reluctant +0 on this -- the content re-writing that the CSRF middleware does has always rubbed me the wrong way. For one, it'll make implementing streaming responses quite a bit more difficult. But more importantly it just smells to me. That said, I think with the addition of autoescaping we've started down the correct path of secure-by-default, and I think we need to follow that path. Given that none of the other alternatives I've seen have smelled any better, and given that this option *works right now*, let's do it. Jacob --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
