| From: | Marti Raudsepp <marti(at)juffo(dot)org> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | pgsql-www <pgsql-www(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default |
| Date: | 2012-11-02 15:09:43 |
| Message-ID: | CABRT9RCBOJUM4hdE0PWhUVfL67t8ZbPJj2hDLeVuHoeCcsA4ow@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Fri, Nov 2, 2012 at 4:32 PM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> No, that's not a problem. We strip cookies in varnish by default. We only
> support them over https...
Ahhh! That explains everything. I wasn't aware of the magic that
happens on the proxy level. I thought you were relying on Django to
not send cookies when not necessary, and the proxy respected the HTTP
headers sent by Django like a conforming HTTP proxy.
The attached patch adds @csrf_exempt to the survey view and removes
csrf_token from the template.
> if we have any other such pages (other than the search, but we can certainly
> disable CSRF for search, right?)
Search uses GET parameters so it already bypasses CSRF.
Regards,
Marti
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Enable-CsrfViewMiddleware-make-CSRF-protection-requi.patch | application/octet-stream | 5.2 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2012-11-05 13:12:31 | Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default |
| Previous Message | Magnus Hagander | 2012-11-02 14:36:21 | Re: Search points to ancient manuals |