#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
Reporter: bthomas | Owner: lukeplant
Status: assigned | Milestone:
Component: HTTP handling | Version: SVN
Resolution: | Keywords: csrf
Stage: Design decision needed | Has_patch: 1
Needs_docs: 1 | Needs_tests: 0
Needs_better_patch: 1 |
---------------------------------------------+------------------------------
Comment (by lukeplant):
I can't find a way to get notifications. I guess we can discuss on here,
but conclusions (so that other people can assess them) should be on the
wiki page.
I'm nervous about your proposal because it's just quite complex. It would
be easy for there to be some corner that we haven't thought about. The
solutions on the wiki page are all well known and well analysed ones
(there was the one I implemented for Django 1.0, and the one you produced
a patch for in #10816, which are documented exactly in the PDF paper,
which nonetheless threw up issues that we hadn't thought about). I'm not
that worried about fixing cross subdomain attacks because allowing
untrusted subdomains is a serious vulnerability anyway due to session
fixation. So, to ease analysis, implementation, documentation, and
understanding by the end user, I vote KISS.
--
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:37>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
