Re: FR: Setting for CSRF Header (pull-request included)

2014-08-04 Thread Wes Alvaro
Yeah, I would agree with you. You should know what your csrf middleware is doing when you enable it so you should know what cookie name, etc is being used for your JS. On Aug 4, 2014 12:56 PM, "Donald Stufft" wrote: > > > On August 4, 2014 at 3:52:56 PM, Wes Alvaro

Re: FR: Setting for CSRF Header (pull-request included)

2014-08-04 Thread Donald Stufft
On August 4, 2014 at 3:52:56 PM, Wes Alvaro (he...@wesalvaro.com) wrote: > I don't see that as a drawback at all. Third party code should not be > concerned with the CSRF cookie information. There's a separation of > concerns that's being violated there. Are you speaking from knowledge of > 3rd

Re: FR: Setting for CSRF Header (pull-request included)

2014-08-04 Thread Wes Alvaro
I don't see that as a drawback at all. Third party code should not be concerned with the CSRF cookie information. There's a separation of concerns that's being violated there. Are you speaking from knowledge of 3rd party code needing access to this data or hypothetically? If you have an

Re: FR: Setting for CSRF Header (pull-request included)

2014-07-08 Thread Tim Graham
The main problem I see with this approach is that it would no longer be straightforward for 3rd party code to access these settings. You'd need something akin to get_user_model() to retrieve the currently installed CSRF middleware so you could access its settings. Take a look here for examples

Re: FR: Setting for CSRF Header (pull-request included)

2013-12-02 Thread Wesley Alvaro
I agree; that's exactly the issue I'm trying to rectify. I'd like the backend to be constant and just work. We have many applications that run off of the same Django setup, essentially differing only in their handlers. That's why I'd like to configure the backend once and my front-ends (not

Re: FR: Setting for CSRF Header (pull-request included)

2013-11-22 Thread Lee Trout
Looking at it objectively I'm on the fence. Angular's $http is easily configurable at the provider level and I feel like the onus is on any front-end tool to be flexible enough to work with different servers. At the same time if I needed the same code to talk to Django, Flask, and Node then I

FR: Setting for CSRF Header (pull-request included)

2013-11-22 Thread Wesley Alvaro
I've been using AngularJS with Django, but I have to override the default CSRF cookie/header values in AngularJS since only one of the values (the cookie name) can be overridden in Django. This is a humble request to add a setting for the CSRF header name so that I can maintain it as my