Hi guys, Recently I was working with Django's CSRF protection, customizing it to my needs, and discussing with co-workers exactly how it works and how it has protection against the BREACH attack being used to retrieve the CSRF key.
Relevant code here: https://github.com/django/django/blob/master/django/middleware/csrf.py#L45 One point of confusion is the use of the term salt in Django's source code. People expect salt to mean the same as salt in the database, that works quite differently and doesn't mask the actual secret. I'm not a security expert so I may be wrong, but I think that "One-time pad", "XOR mask" or just "mask" would be more accurate terms. I propose to change the "salt" to "mask" everywhere these terms appear in the CSRF code, and similarly "unsalt" to "unmask". As far as I know this wouldn't affect functionality at all, because the term "salt" doesn't appear in actual tokens. What do you think? Ram. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/3cf02beb-e292-4991-b75e-2f3f6e28d371%40googlegroups.com.