| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2020-05-04 | Refs #30573 -- Rephrased "Of Course" and "Obvious(ly)" in documentation and ↵ | Adam Johnson | |
| comments. | |||
| 2020-02-26 | Fixed #28699 -- Fixed CSRF validation with remote user middleware. | Colton Hicks | |
| Ensured process_view() always accesses the CSRF token from the session or cookie, rather than the request, as rotate_token() may have been called by an authentication middleware during the process_request() phase. | |||
| 2020-02-25 | Fixed #31291 -- Renamed salt to mask for CSRF tokens. | Ram Rachum | |
| 2020-02-18 | Refs #26601 -- Deprecated passing None as get_response arg to middleware ↵ | Claude Paroz | |
| classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2020-01-16 | Fixed #30765 -- Made cache_page decorator take precedence over max-age ↵ | Flavio Curella | |
| Cache-Control directive. | |||
| 2019-10-29 | Fixed #30899 -- Lazily compiled import time regular expressions. | Hasan Ramezani | |
| 2019-10-23 | Refs #26601 -- Removed obsolete workarounds for MIDDLEWARE_CLASSES setting. | Sergey Fedoseev | |
| 2019-09-09 | Fixed #29406 -- Added support for Referrer-Policy header. | Nick Pope | |
| Thanks to James Bennett for the initial implementation. | |||
| 2019-09-09 | Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY. | Claude Paroz | |
| 2019-04-24 | Removed unnecessary assignments in various code. | Jon Dufresne | |
| 2019-03-30 | Optimized CommonMiddleware's check for DISALLOWED_USER_AGENTS. | Brad | |
| Avoided getattribute + getitem for each DISALLOWED_USER_AGENTS. | |||
| 2019-01-28 | Fixed #30137 -- Replaced OSError aliases with the canonical OSError. | Jon Dufresne | |
| Used more specific errors (e.g. FileExistsError) as appropriate. | |||
| 2018-10-30 | Capitalized SecurityMiddleware headers for consistency with other headers. | Artur Juraszek | |
| (No behavior change since HTTP headers are case insensitive.) | |||
| 2018-09-08 | Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged. | Michal Čihař | |
| 2018-08-01 | Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware. | Andreas Hug | |
| 2018-05-04 | Fixed #26688 -- Fixed HTTP request logging inconsistencies. | Samir Shah | |
| * Added logging of 500 responses for instantiated responses. * Added logging of all 4xx and 5xx responses. | |||
| 2018-04-13 | Fixed #27863 -- Added support for the SameSite cookie flag. | Alex Gaynor | |
| Thanks Alex Gaynor for contributing to the patch. | |||
| 2018-03-16 | Fixed hanging indentation in various code. | Mariusz Felisiak | |
| 2018-02-14 | Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has ↵ | Tomer Chachamu | |
| an invalid host. | |||
| 2018-02-06 | Fixed #28833 -- Prevented CacheMiddleware from caching responses with ↵ | shanghui | |
| "Cache-Control: private". | |||
| 2018-01-03 | Fixed #28982 -- Simplified code with and/or. | Дилян Палаузов | |
| 2017-11-14 | Fixed #28795 -- Removed 'not in' checks and used dict.setdefault(). | Дилян Палаузов | |
| 2017-11-11 | Refs #26447 -- Removed outdated ETag comment in CommonMiddleware. | Tim Graham | |
| Follow up to 48d57788ee56811fa77cd37b9edf40535f82d87e. | |||
| 2017-09-22 | Refs #26447 -- Removed the USE_ETAGS setting per deprecation timeline. | Tim Graham | |
| 2017-09-20 | Fixed #28488 -- Reallowed error handlers to access CSRF tokens. | Florian Apolloner | |
| Regression in eef95ea96faef0b7dbbe0c8092202b74f68a899b. | |||
| 2017-03-04 | Refs #27656 -- Updated remaining docstring verbs according to PEP 257. | Anton Samarchyan | |
| 2017-02-27 | Imported django.http classes instead of django.http. | Asif Saifuddin Auvi | |
| 2017-01-30 | Refs #23919 -- Assumed request COOKIES and META are str | Claude Paroz | |
| 2017-01-18 | Refs #23919 -- Removed most of remaining six usage | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2017-01-18 | Refs #23919 -- Removed encoding preambles and future imports | Claude Paroz | |
| 2016-11-30 | Refs #16859 -- Allowed storing CSRF tokens in sessions. | Raphael Michel | |
| Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review. | |||
| 2016-11-29 | Fixed #27402 -- Fixed incorrect LocaleMiddleware redirects with ↵ | Krzysztof Urbaniak | |
| prefix_default_language=False. | |||
| 2016-11-06 | Fixed #26812 -- Fixed APPEND_SLASH on a URL including querystring with a ↵ | Sven Engström | |
| trailing slash. | |||
| 2016-11-05 | Fixed #27346 -- Stopped setting the Content-Length header in ↵ | Adam Malinowski | |
| ConditionalGetMiddleware. | |||
| 2016-10-17 | Fixed #27344 -- Made ConditionalGetMiddleware only process GET requests. | Kevin Christopher Henry | |
| 2016-10-14 | Fixed #27345 -- Stopped setting the Date header in ConditionalGetMiddleware. | Tim Graham | |
| 2016-10-13 | Refs #19705 -- Made GZipMiddleware make ETags weak. | Kevin Christopher Henry | |
| Django's conditional request processing can now produce 304 Not Modified responses for content that is subject to compression. | |||
| 2016-10-10 | Fixed #26447 -- Deprecated settings.USE_ETAGS in favor of ↵ | Denis Cornehl | |
| ConditionalGetMiddleware. | |||
| 2016-09-14 | Fixed #27211 -- Made UpdateCacheMiddleware include caching headers for "304 ↵ | Rinat Khabibiev | |
| Not Modified" responses. | |||
| 2016-09-10 | Fixed #27083 -- Added support for weak ETags. | Kevin Christopher Henry | |
| 2016-08-10 | Fixed #26947 -- Added an option to enable the HSTS header preload directive. | Ed Morley | |
| 2016-07-15 | Fixed #26765 -- Made CommonMiddleware no longer set an ETag when response ↵ | andrewnester | |
| has Cache-Control: no-store. | |||
| 2016-06-27 | Fixed #5897 -- Added the Content-Length response header in CommonMiddleware | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2016-06-17 | Refs #26601 -- Improved backwards-compatibility of DEP 5 middleware ↵ | Carl Meyer | |
| exception handling. | |||
| 2016-06-04 | Removed an unused logger in middleware/common.py | Tim Graham | |
| 2016-06-04 | Fixed #26628 -- Changed CSRF logger to django.security.csrf. | Holly Becker | |
| 2016-05-19 | Fixed some newlines in imports per isort. | Tim Graham | |
| 2016-05-19 | Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them | Shai Berger | |
| Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews. | |||
| 2016-05-17 | Fixed #26601 -- Improved middleware per DEP 0005. | Florian Apolloner | |
| Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP. | |||
| 2016-05-17 | Refs #26601 -- Refactored BaseHandler to prepare for new-style middleware. | Florian Apolloner | |
