Yeah, I would agree with you. You should know what your csrf middleware is doing when you enable it so you should know what cookie name, etc is being used for your JS. On Aug 4, 2014 12:56 PM, "Donald Stufft" <don...@stufft.io> wrote:
> > > On August 4, 2014 at 3:52:56 PM, Wes Alvaro (he...@wesalvaro.com) wrote: > > I don't see that as a drawback at all. Third party code should not be > > concerned with the CSRF cookie information. There's a separation of > > concerns that's being violated there. Are you speaking from knowledge of > > 3rd party code needing access to this data or hypothetically? If you have > > an example, I'd be interested to see why they are accessing it and why > they > > aren't implemented as a CSRF middleware. > > > > Well any thing with hardcoded cookie names in javascript would break > with this setting although i’m inclined to say you shouldn’t change > the setting in that case. > > -- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 > DCFA > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABTgSpfQzNafO2%3DwdXZp-Xnuo_mgspYF_M7TWnmMu0L_11AzLg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
