Re: [Django] #9977: CSRFMiddleware needs template tag

Tue, 05 May 2009 06:36:06 -0700 

#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
          Reporter:  bthomas                 |         Owner:  lukeplant
            Status:  assigned                |     Milestone:           
         Component:  Uncategorized           |       Version:  SVN      
        Resolution:                          |      Keywords:  csrf     
             Stage:  Design decision needed  |     Has_patch:  1        
        Needs_docs:  1                       |   Needs_tests:  0        
Needs_better_patch:  1                       |  
---------------------------------------------+------------------------------
Comment (by lukeplant):

 When I tried the git django mirrors they weren't working, so I've set up a
 mercurial branch containing this stuff:

 http://bitbucket.org/spookylukey/django-trunk-lukeplant/

 It is a fork of http://bitbucket.org/spookylukey/django-trunk and has all
 the updates we've talked about, apart from removing the hashing of the
 cookie token (which you've convinced me about - it was useful when we were
 session dependent, but not now).

 With Firefox and Konqueror, you can't set a cookie for ".co.uk", I've
 tried that, and I presume that protection is in place for the others.
 (That worries me slightly, because browsers must need to know rules that
 will presumably need updating.   But anyway...)

 I can't help thinking that we need more help from browsers/HTTP, as that
 paper suggests, to really produce a satisfactory solution, especially with
 regard to HTTPS and MITM.  Also, we need to be aware with regards to login
 CSRF, in Django it will work slightly differently as a session is created
 '''before''' the user logs in, not on the POST request that contains the
 authentication credentials, which complicates applying that paper
 directly.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:31>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to