On Mon, Jul 15, 2019 at 10:27 PM Curtis Maloney <[email protected]> wrote:
> I think there is certainly a strong case based on "secure by default" to > include this in core, where it would otherwise face the "it works fine as a > 3rd party app" barrier to entry. > > IMHO it would require, however, that the solutions be sufficiently generic > as to not enforce an overly restrictive world view. > > I, for one, would be very interested to see more details here on what > changes you propose. Then, at least, we can keep a mailing-list history > record of the discussion. > I had an attack of Real Lifeā¢ a while back which prevented following up on this thread, but I have some thoughts I'd be happy to write up and share here, and can at least try to find time to put in some work on implementation. I'll try to get something more detailed when the weekend rolls around again, but the short version is that I'd like to spin up a third-party project to do the implementation work in, and then look at integrating it back into Django at a later time once it's been able to mature a bit. That's been a successful model for a few other larger projects in the past, and I think is also the right approach for doing this particular type of security work, since there's still a decent amount of flux in the relevant standards and their implementations (to take one example, the Referrer-Policy header has had some consistency issues with browser implementations) which would make me wary of putting it straight into Django and enabled or even recommended by default. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAL13Cg_LFUDGemLg7QYpcx-NKfhvc6U%3D3naaUz-YdTgt6G04RQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
