Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default

Поиск
Список
Период
Сортировка
От Magnus Hagander
Тема Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
Дата
Msg-id CABUevEwJq+0ny1PuD3DHrJZMRgrv4B6L6FLTw5Kpn9gD13jBuQ@mail.gmail.com
обсуждение исходный текст
Ответ на Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default  (Marti Raudsepp <marti@juffo.org>)
Ответы Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
Список pgsql-www
Дерево обсуждения
On Fri, Nov 2, 2012 at 4:09 PM, Marti Raudsepp <marti@juffo.org> wrote:
On Fri, Nov 2, 2012 at 4:32 PM, Magnus Hagander <magnus@hagander.net> wrote:
> No, that's not a problem. We strip cookies in varnish by default. We only
> support them over https...

Ahhh! That explains everything. I wasn't aware of the magic that
happens on the proxy level. I thought you were relying on Django to
not send cookies when not necessary, and the proxy respected the HTTP
headers sent by Django like a conforming HTTP proxy.

The attached patch adds @csrf_exempt to the survey view and removes
csrf_token from the template.

Thanks - applied. Please help me keep an extra eye out on things the next couple of days to see if we broke something :)
 

> if we have any other such pages (other than the search, but we can certainly
> disable CSRF for search, right?)

Search uses GET parameters so it already bypasses CSRF.

Ah, good point.
 

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

В списке pgsql-www по дате отправления:

Предыдущее
От: Marti Raudsepp
Дата:
Сообщение: Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
Следующее
От: Magnus Hagander
Дата:
Сообщение: Re: [GENERAL] Error registering at postgresql.org