On Sat, Sep 4, 2010 at 1:51 AM, Luke Plant <l.plant...@cantab.net> wrote: > Barth, Jackson and Mitchell [1] collected some data that said that for > same-domain HTTPS POST requests, the header is missing in only 0.05% to > 0.22% of cases. They've also got strong evidence that the header is > suppressed in the network, not by the browser.
17.6% of statistics are wrong unless you can prove it otherwise ;) It does not matter if only 5 of 10k surveyed computers didn't send the header. There are whole class C sub-networks that don't by policy. As for the vulnerability -- it's only there if you implement it yourself. If you send the initial login form over SSL (we do it this way for various reasons), the cookies are never prone to be intercepted. I have a strong feeling that the framework should not hinder interoperation to try and save the developer from his stupidity unless explicitly asked to do so. If you really want to use POST in HTTP → HTTPS transitions, introduce settings.CSRF_WHATEVER, document it thoroughly and make it default to False. Now everyone is happy :) -- Patryk Zawadzki -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
