On 14/11/2007, Chris Green <[EMAIL PROTECTED]> wrote: > > > On Nov 10, 2007 8:58 PM, Malcolm Tredinnick <[EMAIL PROTECTED]> > wrote: > > > Yeah, I'm not really sure what I mean, design-wise. I feel a little > > uncomfortable about requiring the csrf key all the time in form > > submissions, but I can't pin down why yet. As a consequence of that, the > > middleware doesn't quite do the trick for me, because it's always on > > (you can't say "don't touch this form, I'm handling it manually"). > > I think the use case for when you don't want CSRF protection is when > you are trying to encourage someone to send you POSTS. Think a > "google search engine form" on your own home page where you are > implementing the "google" part or perhaps a piece of software that > posts to home regarding an error condition.
Another use case - AJAX behaviours where a page sends the django app multiple post requests without having a "form" in the html page. I process ajax requests via Newforms like any other post, so having it as part of that would be nicer imho, and allow disabling it. Rob :) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---