Hi Wim, Your suggestion sounds something like Simon's SafeForm. While some elements of that proposal may end up in Django, it turns out that implementing SafeForm as the default solution requires *bigger* changes to existing code than adding the csrf_token, because you would need to pass additional info from the request to Form for it to be able to do the CSRF checks. It also only works if you are using Django Forms and rendering them via {{ form }} (instead of field-by- field, for instance).
If you want to see how we got to where we are, have a look at this thread: http://groups.google.com/group/django- developers/browse_thread/thread/3d2dc750082103dc/f3beb18c27fb7152 (OK, that was a nasty trick - the thread is huge, we discussed this nearly to death, but that's why I'm not going to repeat all the arguments here). Also, you can use CsrfResponseMiddleware as an interim measure to stop your code from breaking, so the change to require csrf_token isn't quite so bad. Thanks, Luke -- "It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife." (Jane Austen) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.