On Wed, Mar 18, 2009 at 10:59 AM, Jacob Kaplan-Moss <[email protected]> wrote: > I'm a somewhat reluctant +0 on this -- the content re-writing that the > CSRF middleware does has always rubbed me the wrong way. For one, > it'll make implementing streaming responses quite a bit more > difficult. But more importantly it just smells to me. > > That said, I think with the addition of autoescaping we've started > down the correct path of secure-by-default, and I think we need to > follow that path. Given that none of the other alternatives I've seen > have smelled any better, and given that this option *works right now*, > let's do it.
Too late now since it's already committed, but I've got some serious reservations about this one. More development effort should have gone into improving and refactoring the middleware before it got automatically enabled. -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
