Changes between Version 13 and Version 14 of CsrfProtection


Ignore:
Timestamp:
Sep 10, 2009, 12:10:09 PM (15 years ago)
Author:
Luke Plant
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • CsrfProtection

    v13 v14  
    7171   * It removes the ability to do streaming of responses (should that become a possibility in future Django versions)
    7272   * It adds the CSRF token to all POST forms, including those targeted at external sites.  These sites would then gain access to the CSRF token and would be able to do CSRF attacks on that user. (This can be avoided by use of the `@csrf_response_exempt` decorator if the page has no internal forms, but that might be an unacceptable constraint, and the default behaviour opens up vulnerabilities easily).  To put it simply, control over token insertion is on a page by page basis, when it needs to be form by form.
     73   * Modifying ``!HttpResponse.content`` can have nasty side effects and interactions with other middleware e.g. see #9163.
    7374
    7475 * !SafeForm - a Django Form subclass that adds the token.  Proposal abandoned in favour of template tag for various reasons.
Back to Top