Luke - I suggest taking a look at the patch, as it works exactly as
you describe (i.e. CSRF-like).
Only thing that's not in there is having the middleware in the project
template but commented out. I can add that in too.
--
You received this message because you are subscribed to the Google Group
I personally do not believe XFrameOptionsMiddleware should be on by
default. There are plenty of folks using Django for simple static
sites or RESTful APIs where clickjacking doesn't apply.
I'd prefer it's something that requires you to intentionally turn it
on by adding the middleware to your set
See approved ticket: http://code.djangoproject.com/ticket/14261
There, Luke Plant said:
"""
+1, I was going to suggest it myself. The patch looks pretty good.
After Django 1.3 is out, we should have some discussion on django-devs
about:
- what the default value should be (I think SAMEORIGIN woul
On Feb 25, 9:49 am, Luke Plant wrote:
> Sorry, I forgot to continue this conversation.
>
> I'm quite happy to entertain the idea that the CSRF middleware should
> always set the CSRF cookie, but would like to know what other devs
> think.
>
> The main consequence I can think of is this:
>
> If a p
