Stronger wording for CSRF protection in `modifying upload handlers on the fly`
|Reported by:||Tom Christie||Owned by:||Tom Christie|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The text in modifying upload handlers on the fly could be more strongly worded regarding CSRF protection.
It might be better if the text "Assuming you do need CSRF protection, you will then need to use csrf_protect() on the function that actually processes the request." simply read "You will then need to use csrf_protect() on the function that actually processes the request."
Obviously it's a bit of a subjective issue, but I think the stronger implication that we're simply explaining how to defer when the CSRF validation runs, rather than making a decision about if it should be run would be slightly better.
Change History (6)
comment:1 Changed 5 years ago by
|Component:||Uncategorized → Documentation|
|Triage Stage:||Unreviewed → Accepted|
|Type:||Uncategorized → Cleanup/optimization|
comment:2 Changed 5 years ago by
|Owner:||changed from nobody to Tom Christie|
|Status:||new → assigned|