> Too late now since it's already committed, but I've got some serious > reservations about this one. More development effort should have gone > into improving and refactoring the middleware before it got > automatically enabled.
I agree with James here. With apologies to Luke, the CSRF middleware needed to be more bulletproof before it was turned on by default. I can't count the number of times since turning on the middleware that I've been greeted with the cryptic "Cross-Site Request Forgery attempt detected" message inexplicably, and every time I try to go and repeat it, I am unable to do so. I suspect that after 1.1 this will be the most common FAQ/Complaint, is people won't understand and will get these types of messages often. Also, I ran into the problem myself where huge swaths of my tests failed due to the CSRF middleware. It took me a bit to realize that it had to do with the CSRF middleware, and if it tripped me up, it's going to trip up other users as well. If we're going to ship CSRF middleware on by default, I propose that we take a second look at the wontfix status of tickets like #9172. Thanks, Eric Florenzano --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
