Author: PaulM
Date: 2011-11-21 17:05:14 -0800 (Mon, 21 Nov 2011)
New Revision: 17140
Modified:
django/trunk/docs/releases/1.4.txt
Log:
Improved release notes about session cookie httponly flag (#16847) per Luke's
comments.
Modified: django/trunk/docs/releases/1.4.txt
===================================================================
--- django/trunk/docs/releases/1.4.txt 2011-11-21 23:40:11 UTC (rev 17139)
+++ django/trunk/docs/releases/1.4.txt 2011-11-22 01:05:14 UTC (rev 17140)
@@ -498,9 +498,6 @@
* Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`
command.
-* Changed the default value for ``httponly`` on session cookies to
- ``True`` to help reduce the impact of potential XSS attacks.
-
* Changed the ``locmem`` cache backend to use
``pickle.HIGHEST_PROTOCOL`` for better compatibility with the other
cache backends.
@@ -948,3 +945,11 @@
return value
See :ref:`filters and auto-escaping <filters-auto-escaping>` for more
information.
+
+Session cookies now have the ``httponly`` flag by default
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Session cookies now include the ``httponly`` attribute by default to
+help reduce the impact of potential XSS attacks. For strict backwards
+compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in settings.
+
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
