On Thu, 17 Apr 2008 09:21:18 -0700 (PDT), "mrts" <[EMAIL PROTECTED]>
said:
>
> > Middleware is easy to set and forget. Is there a reason not to make
> > SecureForm the default, and InsecureForm for people using Ajax? ;-)
>
> Doesn't fit my workflow. In my case some POSTs are handled internally
> by other libraries (think OpenID).
I don't like the idea that CrsfMiddleware is going to be replaced by
SecureForm, precisely for this reason -- that POSTs are often not going
to be handled by forms, so even if it is possible to always inherit from
SecureForm, you still have to remember to handle other POSTs. I much
prefer the current 'secure by default', like we have with auto-escaping.
So it seems to be that what we need first of all is the option to have
'secure by default, but with exceptions', again like auto-escape. That
would require some setting for excluding certain paths/views from the
CsrfMiddleware, or decorators on views that signal 'don't CSRF protect
this' (I prefer the latter, if implementation isn't too bad).
Yes, I agree that CsrfMiddleware is a bit scary, but other security
measures are also somewhat hairy (autoescape is not particularly simple
in implementation, or even in usage). Actually, the only part of
CsrfMiddleware that is scary is the auto-inserting of the
csrfmiddlewaretoken into the output. Perhaps it could be changed to not
do this, and instead provide some interfaces for the developer to get
and insert the token (e.g. get_csrf_token() and {% csrf_token %} ).
SecureForm would include this by default, in other situations you might
want to manually include it. If you forget, and you haven't excluded
your view from CsrfMiddleware, you will get an obvious error, but not a
vulnerability.
Luke
--
Luke Plant - L.Plant.98 at cantab.net
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
