django http://cgit.adnoto.dev/django.git/atom?h=archive%2Fsoc2010%2Fapp-loading 2010-09-13T00:04:27Z 2010-09-13T00:04:27Z Arthur Koziel arthur@arthurkoziel.com 2010-09-13T00:04:27Z urn:sha1:dd49269c7db008b2567f50cb03c4d3d9b321daa1 git-svn-id: http://code.djangoproject.com/svn/django/branches/soc2010/app-loading@13818 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2010-03-01T19:58:53Z Jacob Kaplan-Moss jacob@jacobian.org 2010-03-01T19:58:53Z urn:sha1:6e748b5db4ea6db78ce389f474c2fb78ee3976ed The new behavior still disallows redirects to off-site URLs, but now allows redirects of the form `/some/other/view?foo=http://...`. Thanks to brutasse. git-svn-id: http://code.djangoproject.com/svn/django/trunk@12635 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2009-10-27T00:36:34Z Luke Plant L.Plant.98@cantab.net 2009-10-27T00:36:34Z urn:sha1:7230a995ce81a7b8dd093bd03cc5ebd34106ee80 There is stub code for backwards compatiblity with Django 1.1 imports. The documentation has been updated, but has been left in docs/contrib/csrf.txt for now, in order to avoid dead links to documentation on the website. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2009-10-26T23:23:07Z Luke Plant L.Plant.98@cantab.net 2009-10-26T23:23:07Z urn:sha1:8e70cef9b67433edd70935dcc30c621d1e7fc0a0 This is a large change to CSRF protection for Django. It includes: * removing the dependency on the session framework. * deprecating CsrfResponseMiddleware, and replacing with a core template tag. * turning on CSRF protection by default by adding CsrfViewMiddleware to the default value of MIDDLEWARE_CLASSES. * protecting all contrib apps (whatever is in settings.py) using a decorator. For existing users of the CSRF functionality, it should be a seamless update, but please note that it includes DEPRECATION of features in Django 1.1, and there are upgrade steps which are detailed in the docs. Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work on the patch, and to lots of other people including Simon Willison and Russell Keith-Magee who refined the ideas. Details of the rationale for these changes is found here: http://code.djangoproject.com/wiki/CsrfProtection As of this commit, the CSRF code is mainly in 'contrib'. The code will be moved to core in a separate commit, to make the changeset as readable as possible. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2009-10-12T15:32:24Z Luke Plant L.Plant.98@cantab.net 2009-10-12T15:32:24Z urn:sha1:c46ddbf1fc747a910702a348763d7949fba454f0 Thanks to julien for the suggestion and patch, and SmileyChris for work on the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11618 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2009-04-01T17:02:32Z Jacob Kaplan-Moss jacob@jacobian.org 2009-04-01T17:02:32Z urn:sha1:3e6f4674e2fc190c2116d77066d18f42bd3bcbae git-svn-id: http://code.djangoproject.com/svn/django/trunk@10332 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2009-04-01T16:37:48Z Jacob Kaplan-Moss jacob@jacobian.org 2009-04-01T16:37:48Z urn:sha1:19b9211a3b5424e7908a288c5008bf972cc472f4 git-svn-id: http://code.djangoproject.com/svn/django/trunk@10330 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-23T03:26:01Z Brian Rosner brosner@gmail.com 2008-08-23T03:26:01Z urn:sha1:ab26efc95286fa3e7e52f5f9ec232055bcd2cbb7 git-svn-id: http://code.djangoproject.com/svn/django/trunk@8473 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-15T17:42:13Z Gary Wilson Jr gary.wilson@gmail.com 2008-08-15T17:42:13Z urn:sha1:3bb50169d9db125d818dde89428de5d4bfc030f1 git-svn-id: http://code.djangoproject.com/svn/django/trunk@8386 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-15T17:10:14Z Gary Wilson Jr gary.wilson@gmail.com 2008-08-15T17:10:14Z urn:sha1:415bf3efb3bac1f14efc77d5bdea7a4fddef03de git-svn-id: http://code.djangoproject.com/svn/django/trunk@8383 bcc190cf-cafb-0310-a4f2-bffc1f526a37