Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
| От | Magnus Hagander |
|---|---|
| Тема | Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default |
| Дата | |
| Msg-id | CABUevEzW_1PL_DTACTZUdwV_hkbPn56xsH_OjCUkLjhX6hS6aA@mail.gmail.com обсуждение исходный текст |
| Ответ на | [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default (Marti Raudsepp <marti@juffo.org>) |
| Ответы |
Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF
protection required by default
|
| Список | pgsql-www |
On Tue, Oct 30, 2012 at 9:54 PM, Marti Raudsepp <marti@juffo.org> wrote:
Hi list,
I noticed that most of the forms on the Postgres community site don't
use CSRF protection. That's bad -- CSRF should be on by default.
I went through all the views that handle POST data and didn't find any
that should handle input from cross-domain requests. But CSRF
exceptions, if any, should be decorated with @csrf_exempt (from
django.views.decorators.csrf).
Also available from my Github repo: https://github.com/intgr/pgweb
Hi!
The diff appears to be reversed. But that's easy enough to deal with during commit.
Have you verified that it works with django 1.2 as well? The production deployment is on that quite old version still...
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
В списке pgsql-www по дате отправления: