#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
Reporter: bthomas | Owner: lukeplant
Status: assigned | Milestone:
Component: Uncategorized | Version: SVN
Resolution: | Keywords: csrf
Stage: Design decision needed | Has_patch: 1
Needs_docs: 1 | Needs_tests: 0
Needs_better_patch: 1 |
---------------------------------------------+------------------------------
Comment (by lukeplant):
When I tried the git django mirrors they weren't working, so I've set up a
mercurial branch containing this stuff:
http://bitbucket.org/spookylukey/django-trunk-lukeplant/
It is a fork of http://bitbucket.org/spookylukey/django-trunk and has all
the updates we've talked about, apart from removing the hashing of the
cookie token (which you've convinced me about - it was useful when we were
session dependent, but not now).
With Firefox and Konqueror, you can't set a cookie for ".co.uk", I've
tried that, and I presume that protection is in place for the others.
(That worries me slightly, because browsers must need to know rules that
will presumably need updating. But anyway...)
I can't help thinking that we need more help from browsers/HTTP, as that
paper suggests, to really produce a satisfactory solution, especially with
regard to HTTPS and MITM. Also, we need to be aware with regards to login
CSRF, in Django it will work slightly differently as a session is created
'''before''' the user logs in, not on the POST request that contains the
authentication credentials, which complicates applying that paper
directly.
--
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:31>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
