On Wed, Apr 18, 2012 at 3:50 PM, Luke Plant wrote:
> One query: are you sure it is harder to manipulate? In particular, I
> remember from a while back that Flash allowed some headers to be
> manipulated, which caused problems, and they fixed it by blacklisting
> some headers, I think including ref
On 16:03 +0100 / 18 Apr, Luke Plant wrote:
> On 15/04/12 05:23, Rohan Jain wrote:
> > On 22:50 +0100 / 13 Apr, Luke Plant wrote:
> >> The reason for the strict referer checking under HTTPS is set out here:
> >>
> >> https://code.djangoproject.com/wiki/CsrfProtection
> >>
> >> Particularly, it is to
I hosted a simple app which responds with the request details for
testing purposes:
https://request-mirror.herokuapp.com/
(source: https://github.com/crodjer/request-mirror)
On 12:05 -0700 / 18 Apr, Paul McMillan wrote:
> There seems to be some confusion about CORS (a hairy draft spec that
> is n
On 18/04/12 20:05, Paul McMillan wrote:
> My suggestion here is to include optional support for the Origin
> header as follows:
> - if present and null, fail the CSRF check
> - if present and not null, use in alongside the Referer header
> - if absent, keep current behavior
>
> As a general rule,
There seems to be some confusion about CORS (a hairy draft spec that
is not fully implemented in any browser, and not appropriate for
inclusion in Django at this time) and the "Origin" header (aka Web
Origin, rfc6454).
http://tools.ietf.org/html/rfc6454
https://wiki.mozilla.org/Security/Origin
ht
Sorry to reply twice, a comment on a different part:
On 15/04/12 05:23, Rohan Jain wrote:
> On 22:50 +0100 / 13 Apr, Luke Plant wrote:
>> .. At the moment, it seems that few browsers send the
>> 'Origin' header for normal HTML requests. (Recent versions of Chrome,
>> Firefox and Opera do not, I do
On 15/04/12 05:23, Rohan Jain wrote:
> On 22:50 +0100 / 13 Apr, Luke Plant wrote:
>> The reason for the strict referer checking under HTTPS is set out here:
>>
>> https://code.djangoproject.com/wiki/CsrfProtection
>>
>> Particularly, it is to fix the 'CSRF + MITM' attack that is possible
>> under H
On 22:50 +0100 / 13 Apr, Luke Plant wrote:
> Hi Rohan,
>
> Sorry for the slow reply on this one, I've had a busy time recently.
> Please see my comments on some parts of this proposal.
No worries about this.
>
> On 31/03/12 19:10, Rohan Jain wrote:
> > Hi,
> >
> > I am Rohan Jain, a 4th (final)
Hi Rohan,
Sorry for the slow reply on this one, I've had a busy time recently.
Please see my comments on some parts of this proposal.
On 31/03/12 19:10, Rohan Jain wrote:
> Hi,
>
> I am Rohan Jain, a 4th (final) year B.Tech undergraduate Student from
> Indian Institute of Technology, Kharagpur.
Hi Russel,
That is a good news for me. I have added a timeline and posted it over
melange.
Public Gist for the same: https://gist.github.com/2203174
-- Rohan
On 16:14 +0800 / 6 Apr, Russell Keith-Magee wrote:
>
> On 06/04/2012, at 3:54 PM, Rohan Jain wrote:
>
> > Hi Russel,
> >
> > Thanks
On 06/04/2012, at 3:54 PM, Rohan Jain wrote:
> Hi Russel,
>
> Thanks for the reply.
>
> On 14:42 +0800 / 6 Apr, Russell Keith-Magee wrote:
>>
>> Hi Rohan,
>>
>> Apologies for the lack of response. Anyone who has put effort into writing
>> up a proposal certainly deserves a response of some
Hi Russel,
Thanks for the reply.
On 14:42 +0800 / 6 Apr, Russell Keith-Magee wrote:
>
> Hi Rohan,
>
> Apologies for the lack of response. Anyone who has put effort into writing up
> a proposal certainly deserves a response of some kind, so we've dropped the
> ball here.
>
> In our defence,
Hi Rohan,
Apologies for the lack of response. Anyone who has put effort into writing up a
proposal certainly deserves a response of some kind, so we've dropped the ball
here.
In our defence, here's a couple of the reasons why your proposal probably
hasn't got a wild response:
* You've pick
Hi again,
I really couldn't understand the response this post has got. It
deserved at least a little feedback, positive or negative. I guess I
wont be submitting this over melange.
Still, I have put some effort and research in the proposal. So if
possible I would like to know if it had anything o
Hi,
I am Rohan Jain, a 4th (final) year B.Tech undergraduate Student
from Indian Institute of Technology, Kharagpur. I have been using
django since over a year and generally look into the code base to find
about various implementations. I have made attempts to make some minor
contributions and if
15 matches
Mail list logo