On Apr 17, 5:04 pm, "Jeremy Dunck" <[EMAIL PROTECTED]> wrote:
> Middleware is easy to set and forget. Is there a reason not to make
> SecureForm the default, and InsecureForm for people using Ajax? ;-)
I'm pretty sure we can handle the Ajax case by not doing CSRF token
checks if
On Thu, 17 Apr 2008 09:21:18 -0700 (PDT), "mrts" <[EMAIL PROTECTED]>
said:
>
> > Middleware is easy to set and forget. Is there a reason not to make
> > SecureForm the default, and InsecureForm for people using Ajax? ;-)
>
> Doesn't fit my workflow. In my case some POSTs are handled
> Middleware is easy to set and forget. Is there a reason not to make
> SecureForm the default, and InsecureForm for people using Ajax? ;-)
Doesn't fit my workflow. In my case some POSTs are handled internally
by other libraries (think OpenID).
On Thu, Apr 17, 2008 at 11:00 AM, Jacob Kaplan-Moss
<[EMAIL PROTECTED]> wrote:
>
> On Thu, Apr 17, 2008 at 10:08 AM, mrts <[EMAIL PROTECTED]> wrote:
> > This is cumbersome and error-prone, thus I propose that a SecureForm
> > or CSRFSecureForm be added to newforms that would automate the
On Thu, Apr 17, 2008 at 10:08 AM, mrts <[EMAIL PROTECTED]> wrote:
> This is cumbersome and error-prone, thus I propose that a SecureForm
> or CSRFSecureForm be added to newforms that would automate the steps
> given above (like CsrfMiddleware does).
Agreed -- I was just talking with Simon the
If one wants to protect all POSTed data against CSRF, one should use
CSRFMiddleware.
However, a common use case is to protect only some POSTed forms and
let other POST data through (e.g. Ajax POSTs, OpenID consumers etc --
CsrfMiddleware will not let them through without the token).
Currently,
