Luke - I suggest taking a look at the patch, as it works exactly as
you describe (i.e. CSRF-like).
Only thing that's not in there is having the middleware in the project
template but commented out. I can add that in too.
--
You received this message because you are subscribed to the Google Group
On 14/03/11 20:38, Paul McMillan wrote:
However, I also agree with Ryan N that this should be off by default.
If it must be on, it should use SAMEORIGIN (as the patch currently
provides) to avoid breaking existing sites.
I would suggest putting the middleware in the project template, but
leav
I agree that Django should include this functionality in core. The
header is a very useful way to discourage click-jacking in modern
browsers.
However, I also agree with Ryan N that this should be off by default.
If it must be on, it should use SAMEORIGIN (as the patch currently
provides) to avoid
I personally like the idea of a decorator
On Mar 13, 12:30 pm, Ryan N wrote:
> I personally do not believe XFrameOptionsMiddleware should be on by
> default. There are plenty of folks using Django for simple static
> sites or RESTful APIs where clickjacking doesn't apply.
>
> I'd prefer it's some
This is awesome - very progressive and I hope other frameworks follow
suite.
Have you done a poll of users to see how many would be affected by a
"SAMEORIGIN" setting? Maybe that would be a good place to start. Is
there some other way to test the overall impact of this prior to
committing to it be
I personally do not believe XFrameOptionsMiddleware should be on by
default. There are plenty of folks using Django for simple static
sites or RESTful APIs where clickjacking doesn't apply.
I'd prefer it's something that requires you to intentionally turn it
on by adding the middleware to your set
See approved ticket: http://code.djangoproject.com/ticket/14261
There, Luke Plant said:
"""
+1, I was going to suggest it myself. The patch looks pretty good.
After Django 1.3 is out, we should have some discussion on django-devs
about:
- what the default value should be (I think SAMEORIGIN woul