Code

Changes between Version 6 and Version 7 of CsrfProtection


Ignore:
Timestamp:
07/29/09 03:55:20 (5 years ago)
Author:
lukeplant
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • CsrfProtection

    v6 v7  
    5858   * The performance hit from doing the post processing. 
    5959   * It removes the ability to do streaming of responses (should that become a possibility in future Django versions) 
    60    * It adds the CSRF token to all POST forms, including those targeted at external sites.  These sites would then gain access to the CSRF token and would be able to do CSRF attacks on that user. (This can be avoided by use of the `@csrf_response_exempt` decorator if the page has no internal forms, but that might be an unacceptable constraint, and the default behaviour opens up vulnerabilities easily). 
     60   * It adds the CSRF token to all POST forms, including those targeted at external sites.  These sites would then gain access to the CSRF token and would be able to do CSRF attacks on that user. (This can be avoided by use of the `@csrf_response_exempt` decorator if the page has no internal forms, but that might be an unacceptable constraint, and the default behaviour opens up vulnerabilities easily).  To put it simply, control over token insertion is on a page by page basis, when it needs to be form by form. 
    6161 
    6262 * !SafeForm - a Django Form subclass that adds the token.  Proposal abandoned in favour of template tag for various reasons.