Hi all, Some big changes to the CSRF protection nearly got in to Django 1.1, but didn't. Since then, more work has been done, overhauling the whole thing really. There has been a huge amount of discussion on mailing lists and tickets, so I've put together what I consider to be the conclusions, and my proposal for a way forward, on this page:
http://code.djangoproject.com/wiki/CsrfProtection That page has almost everything you need to know, but just to highlight some things: * The proposal is implemented in the lp-csrf_rework branch of this repo: http://bitbucket.org/spookylukey/django-trunk-lukeplant/ The difference from trunk is regularly copied to patches on ticket #9977, if you want simple diffs. * The proposal (at the bottom of that page) needs review and consensus. * Most of the implementation has been pretty well tested, but of course could do with review, especially as it is security related. * The strict referer checking for HTTPS has not been tested at all in any live situations. (I don't have a live HTTPS site handy for doing such tests). It's possible that special attention also needs to be paid to HTTPS on non-default ports. Obviously these things need to be addressed before this could go into trunk. * The tutorial has not been updated. Fixing it is not trivial. Since we are including the CsrfViewMiddleware in project_template/settings.py, POST forms, such as the one in tutorial 4, require {% load csrf %} and {% csrf_token %}, and corresponding view functions (created in tutorial 3) require RequestContext. I don't know what to do about this. Fixing it is ugly, not fixing it is worse. One option is to rewrite the view function from tutorial 3 in tutorial 4, combining the two views in one -- they have a fair amount of redundant code anyway -- and add RequestContext at that point. I'm away for 3 weeks from this Wednesday, so I won't be able to respond to questions during that time. I imagine for most queries about the patch, 'Glenn' from ticket #9977, who has done a lot of the work on this (many thanks Glenn!), will be able to answer most things. Hopefully he's on the list! It would be best for discussion to take place on this list (or on ticket #9977), the wiki page is just for gathering conclusions. Thanks, Luke -- "If your parents never had children, the chances are you won't either." Luke Plant || http://lukeplant.me.uk/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
