On Monday, 28 November 2016 21:38:14 UTC, Tim Graham wrote: > > Meanwhile, there's a ticket [0] asking to expand the documentation of the > settings.CSRF_COOKIE_HTTPONLY. If this setting doesn't provide any value, > then I figure we should remove the system check that suggests to enable it > and deemphasize it in the documentation and/or remove it. Is there > consensus on this? > If CSRF_COOKIE_HTTPONLY isn't effective, then I'm happy for the system check to be removed and the documentation to be clarified. However, as a user of the setting in the past, I don't think it should be removed. Sometimes the functionality is needed to comply with security reports, regardless of whether or not the setting is effective.
-- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/078c24f0-e951-42f5-8146-914c0eb1123a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
