On 2013-08-08 09:59, Collin Anderson wrote: >> I am doing something a little different with my CSRF tokens, and >> I believe it guards against BREACH. > > Instead of sending the token in the HTTP response, I am using > javascript to read (and generate if needed) the CSRF token cookie. > The javascript reads the token from the cookie and adds it as a > hidden field to any forms that need it on the page. > > This also has two bonus benefits:
but also has the downside that it doesn't work if JS is disabled. You may or may not care, but it's at least something to consider (JS-free interactions may come from older devices, or from testing tools, etc; so I've found enough benefit to code for JS-free and then add in additional functionality). -tkc -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
