#15258: Ajax CSRF protection doesn't apply to PUT or DELETE requests
------------------------------------------+-------------------------
Reporter: brodie | Owner: nobody
Status: new | Milestone: 1.4
Component: Core framework | Version: 1.2
Resolution: | Keywords: csrf ajax
Triage Stage: Accepted | Has patch: 1
Needs documentation: 0 | Needs tests: 1
Patch needs improvement: 0 |
------------------------------------------+-------------------------
Changes (by lukeplant):
* milestone: => 1.4
Comment:
I agree with both points made by tow21.
Given that the current CSRF protection works as advertised, we have to
regard this as a feature request, not a bug, so it will have to go into
1.4 now. Also, given the fact the protection will be extended to methods
besides POST, it will need a 'backwards compatibility' note in the release
notes for 1.4.
Other than these things, I don't think much more needs to be done on this.
--
Ticket URL: <http://code.djangoproject.com/ticket/15258#comment:3>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
