#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
Reporter: bthomas | Owner: lukeplant
Status: assigned | Milestone:
Component: HTTP handling | Version: SVN
Resolution: | Keywords: csrf
Stage: Design decision needed | Has_patch: 1
Needs_docs: 1 | Needs_tests: 0
Needs_better_patch: 1 |
---------------------------------------------+------------------------------
Comment (by Glenn):
How do I get email notifications when a wiki page is changed (excluding
minor changes)? If there's no way to do that, then wiki pages aren't
usable for discussion.
Referer checking helps login CSRF, but I don't think it helps same-domain
session fixing. I'm not sure any generally acceptable method fixes that
yet, though.
My approach protects against same-domain attacks via HTTP; referer
checking less reliable for this.
The method I described has a property which makes it a bit simpler: its
behavior can nest outside of the main CSRF handling. In fact, it could
probably be implemented as a separate middleware (though there's no reason
to actually do so). I may implement it as a proof-of-concept to see how
tricky it is.
--
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:36>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
