Re: Ticket 14261 - add basic clickjacking protection to Django

2011-03-14 Thread Ryan N
Luke - I suggest taking a look at the patch, as it works exactly as you describe (i.e. CSRF-like). Only thing that's not in there is having the middleware in the project template but commented out. I can add that in too. -- You received this message because you are subscribed to the Google Group

Re: Ticket 14261 - add basic clickjacking protection to Django

2011-03-14 Thread Luke Plant
On 14/03/11 20:38, Paul McMillan wrote: However, I also agree with Ryan N that this should be off by default. If it must be on, it should use SAMEORIGIN (as the patch currently provides) to avoid breaking existing sites. I would suggest putting the middleware in the project template, but leav

Re: Ticket 14261 - add basic clickjacking protection to Django

2011-03-14 Thread Paul McMillan
I agree that Django should include this functionality in core. The header is a very useful way to discourage click-jacking in modern browsers. However, I also agree with Ryan N that this should be off by default. If it must be on, it should use SAMEORIGIN (as the patch currently provides) to avoid

Re: Ticket 14261 - add basic clickjacking protection to Django

2011-03-13 Thread Rohit Sethi
I personally like the idea of a decorator On Mar 13, 12:30 pm, Ryan N wrote: > I personally do not believe XFrameOptionsMiddleware should be on by > default. There are plenty of folks using Django for simple static > sites or RESTful APIs where clickjacking doesn't apply. > > I'd prefer it's some

Re: Ticket 14261 - add basic clickjacking protection to Django

2011-03-13 Thread Rohit Sethi
This is awesome - very progressive and I hope other frameworks follow suite. Have you done a poll of users to see how many would be affected by a "SAMEORIGIN" setting? Maybe that would be a good place to start. Is there some other way to test the overall impact of this prior to committing to it be

Re: Ticket 14261 - add basic clickjacking protection to Django

2011-03-13 Thread Ryan N
I personally do not believe XFrameOptionsMiddleware should be on by default. There are plenty of folks using Django for simple static sites or RESTful APIs where clickjacking doesn't apply. I'd prefer it's something that requires you to intentionally turn it on by adding the middleware to your set

Ticket 14261 - add basic clickjacking protection to Django

2011-03-12 Thread Ryan N
See approved ticket: http://code.djangoproject.com/ticket/14261 There, Luke Plant said: """ +1, I was going to suggest it myself. The patch looks pretty good. After Django 1.3 is out, we should have some discussion on django-devs about: - what the default value should be (I think SAMEORIGIN woul