> I had forgot about the Referer header check. It seems that it > would stop the subdomain-to-subdomain CSRF attacks as long as > the site is only using HTTPS, wouldn't it?
Yep. I think the balance there makes sense. It would be nice to figure out a good way to do optional checking for non-HTTPS, but really, everyone should be using HTTPS. -Paul -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.