Re: Video Calling application using Django

2019-04-12 Thread Mat Gadd 
This mailing list is for the development of Django itself, not for support 
using Django. Please use the django-users mailing list for that, or IRC #django 
on freenode, or a site like Stack Overflow.

> On 12 Apr 2019, at 06:39, K Surya Kumar  wrote:
> 
> Hi,
>  I'm planning to build a video chatting web app using django framework 
> for my pg project. But i don't have a clear idea how to start with building 
> video chatting app (flow) and i came across those terms like WEB RTC like 
> that when searching for web video chatting api's.
> 
> Can't anyone guide me how to start with it.
> 
> thanks in advance,
> Surya
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-developers+unsubscr...@googlegroups.com 
> .
> To post to this group, send email to django-developers@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/django-developers 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-developers/ca03b9ee-f45f-4437-9637-eea2ff93fdcc%40googlegroups.com
>  
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/4E3292A2-61FF-467B-B632-8F0832F05CA3%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

2019-03-18 Thread Mat Gadd 
You're correct that is how they rewrite the URLs, but I did know that and 
expect that to be the case.

> On 18 Mar 2019, at 17:35, René Fleschenberg  wrote:
> 
> Hi.
> 
> On 3/18/19 12:26 PM, Mat Gadd wrote:
>> Weirdly, it appears that Gmail isn't inserting click tracking for the
>> plain password reset link, but when I use my own URL shortener, I can
>> also see the google.com <http://google.com> redirect in play. It may
>> just be dev tools behaving strangely, or perhaps Google have tried to
>> avoid adding their tracker for password reset links. Who knows!
> 
> I did not take the time to analyze this as thoroughly as I should have,
> but from a cursory look, it seemed to me that Gmail rewrites the links
> using Javascript, and only when you click on them. Could that explain
> why your observations?
> 
> -- 
> René
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django developers  (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-developers/0e45692d-1974-25ff-c938-f4770f8ee786%40fleschenberg.net.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/BB00AC09-0E6A-4568-9345-F647A04D9D94%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

2019-03-18 Thread Mat Gadd 
As the author of 29975, I figured I'd weigh in here.

I've set our site to use SESSION_COOKIE_SAMESITE = None and 
CSRF_COOKIE_SAMESITE = None and tested password reset links with and without 
click tracking (in additional to Gmail's tracking), and it certainly appears to 
fix the issue with Safari on macOS and iOS for me.

Weirdly, it appears that Gmail isn't inserting click tracking for the plain 
password reset link, but when I use my own URL shortener, I can also see the 
google.com  redirect in play. It may just be dev tools 
behaving strangely, or perhaps Google have tried to avoid adding their tracker 
for password reset links. Who knows!

> On 15 Mar 2019, at 14:38, Florian Apolloner  wrote:
> 
> Hi Flavio,
> 
> On Friday, March 15, 2019 at 2:56:16 PM UTC+1, Flávio Junior wrote:
> > shouldn't httponly yes/no control whether JS can read the data?
> 
> Yes. But, on Django, the default is httponly false for CSRF cookie. 
> So even without httponly, Safari doesn't allow JS to read the CSRF cookie. 
> Safari also doesn't send the session cookie nor the CSRF cookie during the 
> request (if it comes from a cross-site source, like an email tracker 
> redirection). 
> 
> Oh sorry I was being unclear here. What I wanted to say/ask is whether you 
> had set httponly because I couldn't imagine the SameSite policy to affect 
> that. Thanks for clearing that up.
> 
>  
> > I am wondering if this also results in 
> > https://code.djangoproject.com/ticket/29975 
> > 
> >  or if this is just a result of their tracking protection
> 
> Yes, I think it's the same problem. I don't think this is a result of the 
> "Protection Against First Party Bounce Trackers" because the issue don't 
> happens if SESSION_COOKIE_SAMESITE = None and CSRF_COOKIE_SAMESITE = None, 
> which is the behavior of Django < 2.1.
> This is an issue with Django 2.1 defaults + Safari 12 + cross-site 
> redirection.
> That's why I suggested a change on defaults, or at least some clear warning.
> 
> Interesting, it would certainly be nice if I/someone could verify this. If 
> setting the policy from lax to none also fixes the password reset issue, then 
> I am mostly in favor of a "warning" somewhere for now. I do not think that a 
> simple default change is a good idea in the long run. I'll mail you later for 
> credentials (If I don't find some lying around in the company).
> 
> As for the beta versions, is it possibly that you would only update safari or 
> would you have to update your whole iOS/macOS? Ie could you test with 
> https://developer.apple.com/safari/technology-preview/ if the issue is gone 
> again on your mac?
> 
> Cheers,
> Florian
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-developers+unsubscr...@googlegroups.com 
> .
> To post to this group, send email to django-developers@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/django-developers 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-developers/70770663-f56c-4c9c-b75b-961a1d6df964%40googlegroups.com
>  
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/EED22A8B-A650-4979-8C86-A75E07648864%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

2019-02-21 Thread Mat Gadd 
You can see this in action yourself using Chrome's Dev Tools. Open Dev
Tools, then their Settings, and turn on "Auto-open DevTools for popups".
Then, click any link in the Gmail web app. You'll see you go via
google.com/url?q=original_url_here. Since they're doing this with
JavaScript, the links look like they're going to open the real URL, but
they *don't.*

On Thu, 21 Feb 2019 at 10:44, Mat Gadd  wrote:

> Exactly that, yes. We've disabled all click tracking that we can, but
> Gmail has its own redirect which causes Safari's privacy features to kick
> in. (Some?) Gmail users are unable to use the password reset emails.
>
> On Thursday, 21 February 2019 01:03:54 UTC, Philip James wrote:
>>
>> Mat, are you saying you're seeing Safari still blocking, even with click
>> tracking turned off, because GMail itself is inserting a redirect?
>>
>> PJJ
>> http://philipjohnjames.com
>>
>>
>> On Wed, Feb 20, 2019 at 4:46 AM Mat Gadd  wrote:
>>
>>> We're also now seeing Gmail users complain that the password reset links
>>> don't work, even after we disabled click tracking. It seems that Google are
>>> inserting their own click tracking into users' emails, which is… weird?
>>>
>>> The markup of links is transformed to the following (where … is our
>>> original URL):
>>>
>>> https://www.google.com/url?q=…;>Link text here
>>>
>>> Gmail is a *huge* provider of emails, and they make up around 54% of our
>>> user base. Anyone using the Gmail web app can no longer reset their
>>> password simply by clicking the link in the email.
>>>
>>> On Wednesday, 23 January 2019 12:51:22 UTC, Perry Roper wrote:
>>>>
>>>> It would appear that this affects a large number of users. We're also
>>>> experiencing this in the following configurations.
>>>>
>>>> - Mailgun click tracking enabled + Safari 12.0 on MacOS or any browser
>>>> in iOS 12
>>>> - Clicking the link in the Gmail app or web app (Mailgun click tracking
>>>> disabled) + Safari 12.0 on MacOS or any browser in iOS 12.
>>>>
>>>> All iOS 12 browsers and MacOS Safari users using the Gmail app, or in
>>>> any email client if the site they are requesting a password from uses link
>>>> tracking.
>>>>
>>>> On Thursday, 22 November 2018 20:43:15 UTC+7, Mat Gadd wrote:
>>>>>
>>>>> Hi all,
>>>>>
>>>>> I raised a ticket <https://code.djangoproject.com/ticket/29975>
>>>>> regarding this and was directed here to discuss the topic. The summary is
>>>>> that the combination of using click-tracking redirects (which are popular
>>>>> with a variety of email providers) with the Django contrib.auth password
>>>>> reset views does not work in Safari on macOS and iOS as of the latest 
>>>>> major
>>>>> versions.
>>>>>
>>>>> It took me quite a long time to work out what was happening, so I
>>>>> wanted to at least raise a ticket where other people might find it, but 
>>>>> was
>>>>> also hoping to start a discussion around how else the problem could be
>>>>> mitigated. An option to disable the internal token redirect might be
>>>>> useful, but that then re-opens the token up to being leaked via the
>>>>> HTTP_REFERER header.
>>>>>
>>>>> Regards,
>>>>>  - Mat
>>>>>
>>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django developers (Contributions to Django itself)" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django-develop...@googlegroups.com.
>>> To post to this group, send email to django-d...@googlegroups.com.
>>> Visit this group at https://groups.google.com/group/django-developers.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/django-developers/c10f608f-7f5e-4bba-aa89-4779e37d61f0%40googlegroups.com
>>> <https://groups.google.com/d/msgid/django-developers/c10f608f-7f5e-4bba-aa89-4779e37d61f0%40googlegroups.com?utm_medium=email_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and st

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

2019-02-21 Thread Mat Gadd 
Exactly that, yes. We've disabled all click tracking that we can, but Gmail 
has its own redirect which causes Safari's privacy features to kick in. 
(Some?) Gmail users are unable to use the password reset emails.

On Thursday, 21 February 2019 01:03:54 UTC, Philip James wrote:
>
> Mat, are you saying you're seeing Safari still blocking, even with click 
> tracking turned off, because GMail itself is inserting a redirect?
>
> PJJ
> http://philipjohnjames.com
>
>
> On Wed, Feb 20, 2019 at 4:46 AM Mat Gadd > 
> wrote:
>
>> We're also now seeing Gmail users complain that the password reset links 
>> don't work, even after we disabled click tracking. It seems that Google are 
>> inserting their own click tracking into users' emails, which is… weird?
>>
>> The markup of links is transformed to the following (where … is our 
>> original URL):
>>
>> https://www.google.com/url?q=…;>Link text here
>>
>> Gmail is a *huge* provider of emails, and they make up around 54% of our 
>> user base. Anyone using the Gmail web app can no longer reset their 
>> password simply by clicking the link in the email. 
>>
>> On Wednesday, 23 January 2019 12:51:22 UTC, Perry Roper wrote:
>>>
>>> It would appear that this affects a large number of users. We're also 
>>> experiencing this in the following configurations.
>>>
>>> - Mailgun click tracking enabled + Safari 12.0 on MacOS or any browser 
>>> in iOS 12
>>> - Clicking the link in the Gmail app or web app (Mailgun click tracking 
>>> disabled) + Safari 12.0 on MacOS or any browser in iOS 12.
>>>
>>> All iOS 12 browsers and MacOS Safari users using the Gmail app, or in 
>>> any email client if the site they are requesting a password from uses link 
>>> tracking.
>>>
>>> On Thursday, 22 November 2018 20:43:15 UTC+7, Mat Gadd wrote:
>>>>
>>>> Hi all,
>>>>
>>>> I raised a ticket <https://code.djangoproject.com/ticket/29975> 
>>>> regarding this and was directed here to discuss the topic. The summary is 
>>>> that the combination of using click-tracking redirects (which are popular 
>>>> with a variety of email providers) with the Django contrib.auth password 
>>>> reset views does not work in Safari on macOS and iOS as of the latest 
>>>> major 
>>>> versions.
>>>>
>>>> It took me quite a long time to work out what was happening, so I 
>>>> wanted to at least raise a ticket where other people might find it, but 
>>>> was 
>>>> also hoping to start a discussion around how else the problem could be 
>>>> mitigated. An option to disable the internal token redirect might be 
>>>> useful, but that then re-opens the token up to being leaked via the 
>>>> HTTP_REFERER header.
>>>>
>>>> Regards,
>>>>  - Mat
>>>>
>>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-develop...@googlegroups.com .
>> To post to this group, send email to django-d...@googlegroups.com 
>> .
>> Visit this group at https://groups.google.com/group/django-developers.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-developers/c10f608f-7f5e-4bba-aa89-4779e37d61f0%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/django-developers/c10f608f-7f5e-4bba-aa89-4779e37d61f0%40googlegroups.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/2830288b-6890-4c2f-ac4c-b07a82196619%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

2019-02-20 Thread Mat Gadd 
We're also now seeing Gmail users complain that the password reset links 
don't work, even after we disabled click tracking. It seems that Google are 
inserting their own click tracking into users' emails, which is… weird?

The markup of links is transformed to the following (where … is our 
original URL):

https://www.google.com/url?q=…;>Link text here

Gmail is a *huge* provider of emails, and they make up around 54% of our 
user base. Anyone using the Gmail web app can no longer reset their 
password simply by clicking the link in the email. 

On Wednesday, 23 January 2019 12:51:22 UTC, Perry Roper wrote:
>
> It would appear that this affects a large number of users. We're also 
> experiencing this in the following configurations.
>
> - Mailgun click tracking enabled + Safari 12.0 on MacOS or any browser in 
> iOS 12
> - Clicking the link in the Gmail app or web app (Mailgun click tracking 
> disabled) + Safari 12.0 on MacOS or any browser in iOS 12.
>
> All iOS 12 browsers and MacOS Safari users using the Gmail app, or in any 
> email client if the site they are requesting a password from uses link 
> tracking.
>
> On Thursday, 22 November 2018 20:43:15 UTC+7, Mat Gadd wrote:
>>
>> Hi all,
>>
>> I raised a ticket <https://code.djangoproject.com/ticket/29975> 
>> regarding this and was directed here to discuss the topic. The summary is 
>> that the combination of using click-tracking redirects (which are popular 
>> with a variety of email providers) with the Django contrib.auth password 
>> reset views does not work in Safari on macOS and iOS as of the latest major 
>> versions.
>>
>> It took me quite a long time to work out what was happening, so I wanted 
>> to at least raise a ticket where other people might find it, but was also 
>> hoping to start a discussion around how else the problem could be 
>> mitigated. An option to disable the internal token redirect might be 
>> useful, but that then re-opens the token up to being leaked via the 
>> HTTP_REFERER header.
>>
>> Regards,
>>  - Mat
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/c10f608f-7f5e-4bba-aa89-4779e37d61f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

2018-11-26 Thread Mat Gadd 
Ah, I forgot to include it here, sorry – it's on the ticket linked in my 
original message:

[…] "Protection Against First Party Bounce Trackers" feature of Safari on 
macOS and iOS, as ​described on the WebKit blog 
<https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/>.

On Monday, 26 November 2018 09:29:02 UTC, Florian Apolloner wrote:
>
>
>
> On Monday, November 26, 2018 at 10:28:07 AM UTC+1, Mat Gadd wrote:
>>
>> Florian, it's not strictly an "internal redirect on a page", but the 
>> combination of being bounced from a different domain to our site, and their 
>> our site immediately performing its own redirect. If the links were 
>> directly to our server, I don't believe this issue would occur.
>>
>
> Interesting, are there any docs on this feature? 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/64c1fb0a-acc9-4d8a-be70-08e2b3b4a666%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

2018-11-26 Thread Mat Gadd 
Hi both,

Adam, you're right that the email provider is rewriting the URLs to point 
to their server which then redirects to our site. The contrib.auth module 
then performs *another* redirect which appears to cause the privacy feature 
to kick in. If Django didn't perform a redirect then it would work as 
expected. As-is, the cookie that is attempted to be set before the redirect 
is thrown away by Safari and the user sees a message that their token is 
invalid.

Florian, it's not strictly an "internal redirect on a page", but the 
combination of being bounced from a different domain to our site, and their 
our site immediately performing its own redirect. If the links were 
directly to our server, I don't believe this issue would occur.

Regards,
 - Mat

On Sunday, 25 November 2018 20:37:27 UTC, Florian Apolloner wrote:
>
> I guess it would help to know how Safari's tracking protection does work 
> (I do not own a Mac) -- it seems hard to imagine that an internal redirect 
> on a page triggers the protection. In that sense it seems more like a 
> ISP-problem like Adam pointed out.
>
> On Sunday, November 25, 2018 at 9:39:28 AM UTC+1, Adam Johnson wrote:
>>
>> It sounds to me that this your email provider rewriting the link to go 
>> through their tracking site, and Safari now blocks the tracking site. I 
>> don't see how Django can do anything around this - the "internal token 
>> redirect" (which I guess means a Django generated redirect from one page to 
>> another on your site) is going to be after going through the tracking site, 
>> no?
>>
>> On Thu, 22 Nov 2018 at 09:51, Mat Gadd  wrote:
>>
>>> Hi all,
>>>
>>> I raised a ticket <https://code.djangoproject.com/ticket/29975> 
>>> regarding this and was directed here to discuss the topic. The summary is 
>>> that the combination of using click-tracking redirects (which are popular 
>>> with a variety of email providers) with the Django contrib.auth password 
>>> reset views does not work in Safari on macOS and iOS as of the latest major 
>>> versions.
>>>
>>> It took me quite a long time to work out what was happening, so I wanted 
>>> to at least raise a ticket where other people might find it, but was also 
>>> hoping to start a discussion around how else the problem could be 
>>> mitigated. An option to disable the internal token redirect might be 
>>> useful, but that then re-opens the token up to being leaked via the 
>>> HTTP_REFERER header.
>>>
>>> Regards,
>>>  - Mat
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Django developers (Contributions to Django itself)" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to django-develop...@googlegroups.com.
>>> To post to this group, send email to django-d...@googlegroups.com.
>>> Visit this group at https://groups.google.com/group/django-developers.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/django-developers/20d7a1d1-9c37-44df-8d6f-577f55727efc%40googlegroups.com
>>>  
>>> <https://groups.google.com/d/msgid/django-developers/20d7a1d1-9c37-44df-8d6f-577f55727efc%40googlegroups.com?utm_medium=email_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>> -- 
>> Adam
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/338f251c-c4e6-441e-a877-641c86974ffe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

2018-11-22 Thread Mat Gadd 
Hi all,

I raised a ticket  regarding 
this and was directed here to discuss the topic. The summary is that the 
combination of using click-tracking redirects (which are popular with a 
variety of email providers) with the Django contrib.auth password reset 
views does not work in Safari on macOS and iOS as of the latest major 
versions.

It took me quite a long time to work out what was happening, so I wanted to 
at least raise a ticket where other people might find it, but was also 
hoping to start a discussion around how else the problem could be 
mitigated. An option to disable the internal token redirect might be 
useful, but that then re-opens the token up to being leaked via the 
HTTP_REFERER header.

Regards,
 - Mat

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/20d7a1d1-9c37-44df-8d6f-577f55727efc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.