This is awesome - very progressive and I hope other frameworks follow suite.
Have you done a poll of users to see how many would be affected by a "SAMEORIGIN" setting? Maybe that would be a good place to start. Is there some other way to test the overall impact of this prior to committing to it being on by default? On Mar 13, 2:51 am, Ryan N <ryan.nieme...@gmail.com> wrote: > See approved ticket:http://code.djangoproject.com/ticket/14261 > > There, Luke Plant said: > > """ > +1, I was going to suggest it myself. The patch looks pretty good. > After Django 1.3 is out, we should have some discussion on django-devs > about: > > - what the default value should be (I think SAMEORIGIN would make it > better for general use, with very little decrease in security). > - whether we can avoid a new setting > - whether the middleware should be on by default or in the project > template. > """ > > I already changed the patch to default to SAMEORIGIN instead of DENY, > so that should be cool. So it seems the other two points are what's up > for some discussion. Anything else? -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.