summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorPaul McMillan <Paul@McMillan.ws>2011-11-22 01:05:14 +0000
committerPaul McMillan <Paul@McMillan.ws>2011-11-22 01:05:14 +0000
commite13dc4905330dd2705d5b82420141b2fabab9a29 (patch)
tree94131cc6639c7270994019b81821c1c573fe7537 /docs
parent98f5127fb87bbde0b8732c144b8d405d927fba61 (diff)
Improved release notes about session cookie httponly flag (#16847) per Luke's comments.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17140 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.4.txt11
1 files changed, 8 insertions, 3 deletions
diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt
index 9275ac6ffe..10cbe3dba9 100644
--- a/docs/releases/1.4.txt
+++ b/docs/releases/1.4.txt
@@ -498,9 +498,6 @@ Django 1.4 also includes several smaller improvements worth noting:
* Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`
command.
-* Changed the default value for ``httponly`` on session cookies to
- ``True`` to help reduce the impact of potential XSS attacks.
-
* Changed the ``locmem`` cache backend to use
``pickle.HIGHEST_PROTOCOL`` for better compatibility with the other
cache backends.
@@ -948,3 +945,11 @@ Now, the flags are keyword arguments of :meth:`@register.filter
return value
See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information.
+
+Session cookies now have the ``httponly`` flag by default
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Session cookies now include the ``httponly`` attribute by default to
+help reduce the impact of potential XSS attacks. For strict backwards
+compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in settings.
+