From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Marti Raudsepp <marti(at)juffo(dot)org> |
Cc: | pgsql-www <pgsql-www(at)postgresql(dot)org> |
Subject: | Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default |
Date: | 2012-11-05 13:12:31 |
Message-ID: | CABUevEwJq+0ny1PuD3DHrJZMRgrv4B6L6FLTw5Kpn9gD13jBuQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-www |
On Fri, Nov 2, 2012 at 4:09 PM, Marti Raudsepp <marti(at)juffo(dot)org> wrote:
> On Fri, Nov 2, 2012 at 4:32 PM, Magnus Hagander <magnus(at)hagander(dot)net>
> wrote:
> > No, that's not a problem. We strip cookies in varnish by default. We only
> > support them over https...
>
> Ahhh! That explains everything. I wasn't aware of the magic that
> happens on the proxy level. I thought you were relying on Django to
> not send cookies when not necessary, and the proxy respected the HTTP
> headers sent by Django like a conforming HTTP proxy.
>
> The attached patch adds @csrf_exempt to the survey view and removes
> csrf_token from the template.
>
Thanks - applied. Please help me keep an extra eye out on things the next
couple of days to see if we broke something :)
> if we have any other such pages (other than the search, but we can
> certainly
> > disable CSRF for search, right?)
>
> Search uses GET parameters so it already bypasses CSRF.
>
Ah, good point.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Daniel Serodio (lists) | 2012-11-05 15:21:11 | Error registering at postgresql.org |
Previous Message | Marti Raudsepp | 2012-11-02 15:09:43 | Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default |