#9977: CSRFMiddleware needs template tag ---------------------------------------------+------------------------------ Reporter: bthomas | Owner: lukeplant Status: assigned | Milestone: Component: Uncategorized | Version: SVN Resolution: | Keywords: csrf Stage: Design decision needed | Has_patch: 1 Needs_docs: 1 | Needs_tests: 0 Needs_better_patch: 1 | ---------------------------------------------+------------------------------ Comment (by lukeplant):
When I tried the git django mirrors they weren't working, so I've set up a mercurial branch containing this stuff: http://bitbucket.org/spookylukey/django-trunk-lukeplant/ It is a fork of http://bitbucket.org/spookylukey/django-trunk and has all the updates we've talked about, apart from removing the hashing of the cookie token (which you've convinced me about - it was useful when we were session dependent, but not now). With Firefox and Konqueror, you can't set a cookie for ".co.uk", I've tried that, and I presume that protection is in place for the others. (That worries me slightly, because browsers must need to know rules that will presumably need updating. But anyway...) I can't help thinking that we need more help from browsers/HTTP, as that paper suggests, to really produce a satisfactory solution, especially with regard to HTTPS and MITM. Also, we need to be aware with regards to login CSRF, in Django it will work slightly differently as a session is created '''before''' the user logs in, not on the POST request that contains the authentication credentials, which complicates applying that paper directly. -- Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:31> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~---