#12738: CSRF token name should be a configurable setting
------------------------------------+---------------------------------------
Reporter: Kronuz | Owner: nobody
Status: new | Milestone: 1.2
Component: Uncategorized | Version:
Resolution: | Keywords:
Stage: Unreviewed | Has_patch: 0
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
------------------------------------+---------------------------------------
Changes (by lukeplant):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Comment:
I don't understand why that would improve security. The security lies in
the value of the token, not the name. Most CSRF attacks are going to be
per-site, and a setting would be per-site. Also, if an attacker was using
a more generic attack against all Django-powered sites, it would be easy
to find out what the name of the token is for a specific site - one
request to a page that contains a POST form, and you are done, since a
simple regex will in most cases find which field 'looks like' a Django
CSRF token.
Do you have an actual use case where you need this?
--
Ticket URL: <http://code.djangoproject.com/ticket/12738#comment:1>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
