#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
Reporter: bthomas | Owner: lukeplant
Status: assigned | Milestone: 1.2
Component: HTTP handling | Version: SVN
Resolution: | Keywords: csrf
Stage: Design decision needed | Has_patch: 1
Needs_docs: 1 | Needs_tests: 0
Needs_better_patch: 1 |
---------------------------------------------+------------------------------
Comment (by Glenn):
> Hmm, not sure about that. It's a nice tweak, but:
> * it makes the tests fail, and the fix isn't entirely trivial.
Not implementing a feature because it's a pain to update the tests is the
worst possible outcome of broad testing. I can do it when I have some
time, if we agree it's a good idea and you update the patch on the ticket
so I'm not working off old code.
> * if forms are created dynamically client side (e.g. by loading a bit
of
> HTML via AJAX), they will fail since the cookie has not been set.
If you load HTML via AJAX, the AJAX response itself sets the cookie.
> Also, renaming csrfmiddlewaretoken to csrftoken would be good, but it
will give upgrade problems, since it used to be called
csrfmiddlewaretoken. At the moment, upgrading will be seamless for users
even if they loaded a form before the upgrade and submitted it after, and
it would be good to keep that.
Not always; if you have two forms loaded, reloading one will invalidate
the other, because it'll set the real CSRF cookie.
--
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:46>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
