On Tue, Sep 22, 2009 at 7:12 AM, Russell Keith-Magee <freakboy3...@gmail.com> wrote: > At this point, I'm convinced, mod the minor things I've flagged. > However, I'd like to see Jacob and Malcolm chime in before this is > committed.
I've mostly stayed out of the discussion because I haven't had much helpful to say that isn't being better expressed by someone else. But for the record I am following this closely, and it seems to me that y'all are narrowing in on a pretty good solution. That is, making CSRF protection built-in seems to be the best approach. I did a quick survey of other web frameworks' CSRF protection, and found: * CSRF protection is an optional component (something like SafeForm) in Pylons and TurboGears, and nobody seems to use it (judging by the lack of documentation, lack of examples, and lack of questions about it on mailing lists) * CSRF protection is optional (again, something like SafeForm) in Symfony and CakePHP, and nobody seems to use it (similar criteria). * CSRF protection is a built-in-but-optional bit in Zend (you can add a "csrf field" any form to get automatic CSRF protection), and it seems to be used regularly. * Rack::CSRF provides middleware-level CSRF protection to Rack apps, and seems to be used with microframeworks (e.g. Sinatra) regularly. * Ruby on Rails provides built-in, completely transparent CSRF protection, and nearly everyone uses it. Based on this quick-and-dirty evaluation, it seems the unifying factor is that nobody really uses CSRF protection unless (a) it's built in or (b) it's too late. Or, put another way, how many people got template auto-escaping right before we made it automatic? I'm gonna give Luke's latest a try tonight if I can, but it looks pretty good. Jacob PS: I'm with Simon that we need a better shortcut for render-with-request-context. I'm gonna have to think a bit more about what that should be, though. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
