On Wednesday 01 April 2009 00:10:01 Jacob Kaplan-Moss wrote:
> An even bigger problem would be for users of third-party reusable
> apps: my personal blog is a mere 645 lines of code, but there's
> over 10,000 lines of third-party apps I'm building on top of. If I
> want to upgrade to 1.1 and keep
I wrote:
> Completely harmless side effect: you get
> double insertion of the CSRF token in the contrib apps (this works
> fine, it isn't even invalid HTML).
In fact, we can even remove this side effect, and the performance hit
of using the CsrfResponseMiddleware where it is not needed, by usin
Hi Jacob,
Just got back from being away, would have replied earlier otherwise...
> It's simply far too draconian: if I forget to do all steps needed
> to upgrade, all my contrib apps stop working. And then as soon as I
> *do* those steps, all *my* apps that use POST stop working. I just
> can't
Hi Luke --
I'm sorry it took me so long to review this patch, but I wanted to
make sure I knew what I was talking about first.
What you've done here is admirable, and I agree that the goal of
out-of-the-box CSRF protection is important, but ultimately I can't
get behind committing this.
It's si
On Monday 23 March 2009 19:21:00 Luke Plant wrote:
> Hi all,
>
> The patch has been added to:
>
> http://code.djangoproject.com/ticket/9977
I've bashed on this a lot more, and discovered (and fixed) several
issues (particularly to do with what happens when sessions are first
created). I've a
Hi all,
The patch has been added to:
http://code.djangoproject.com/ticket/9977
It includes tests, docs etc - I think it is complete. Other notes are
below (some of this would need to be prominently noted in the release
notes).
I don't know if this is too late for the beta. Since I guess
