Did you look at the github code search link on my previous email? You may substitute the other CSRF setting names and determine if you think people are doing legitimate things or not.
On Monday, August 4, 2014 5:13:57 PM UTC-4, Wes Alvaro wrote: > > Yeah, I would agree with you. You should know what your csrf middleware is > doing when you enable it so you should know what cookie name, etc is being > used for your JS. > On Aug 4, 2014 12:56 PM, "Donald Stufft" <[email protected] <javascript:>> > wrote: > >> >> >> On August 4, 2014 at 3:52:56 PM, Wes Alvaro ([email protected] >> <javascript:>) wrote: >> > I don't see that as a drawback at all. Third party code should not be >> > concerned with the CSRF cookie information. There's a separation of >> > concerns that's being violated there. Are you speaking from knowledge of >> > 3rd party code needing access to this data or hypothetically? If you >> have >> > an example, I'd be interested to see why they are accessing it and why >> they >> > aren't implemented as a CSRF middleware. >> > >> >> Well any thing with hardcoded cookie names in javascript would break >> with this setting although i’m inclined to say you shouldn’t change >> the setting in that case. >> >> -- >> Donald Stufft >> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 >> DCFA >> > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/4c5ccb64-3164-4f5d-a119-6249e7d493f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
