On Sep 23, 9:00 am, oggie rob <[EMAIL PROTECTED]> wrote: > I just read this thread now, and by the end of it, things are looking > pretty complicated. Is it worth a gut check to make sure this is > worthwhile? Although the middleware might be a hack now, it seems > sensible that it fits in request/response areas rather than in forms: > you still need to go out of your way to add it anyway (so users won't > necessarily "turn it on"); it takes a lot more code; add in the > multiple forms per page question, and to me it seems like you've fixed > a problem by introducing another.
Here's a useful case in point: the admin. Django's admin should ship with CSRF protection turned on and baked in. Right now, I'm willing to bet 95% of the Django admin sites out there are exploitable via CSRF because the middleware wasn't turned on. This is really bad. I'm positive we can figure out a better API for CSRF protection than what we have at the moment. At the moment I'm focused on forms, but if there's something we can do at the view level instead I'd love to see some suggestions. > Finally, it doesn't take much to make a pretty message - something > like "You are under attack, close down your browser and try again" > with images of flaming people & such - for the (lets be realistic) > very rare cases when a CSRF attack occurs. I'm worried about false positives. One example where this would happen is if you were to change your SECRET_KEY (secret management is a whole other issue we haven't addressed). That's why I like the validation error approach - it's unobtrusive and doesn't unnecessarily scare people. We should definitely log detected CSRF issues though (logging = another issue). Cheers, Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
