On 08/27/2013 09:41 PM, Dirk Müller wrote:
Hi Tony,
disable/uninstall/neuter this "feature." Also, I cannot find any other web framework which uses this approach to fighting XSS attacks (and AFAIK the XSS problem has been mostly addressed by practically everyone in some way).
Please note that XSS and CSRF are two completely different things. I assume from your description that you're indeed talking about CSRF. There are indeed two ways to implement CSRF protection in django, using cookies or using hidden form values using POST.
And there's the X-CSRFToken HTTP header.
given that the latter is largely inconvenient, CSRF cookies is the de-facto standard used by most web frameworks.
Well, not really. It is true that people often forget to add the CSRF token to their forms when they write them by hand. That's why form generation frameworks for major web frameworks are so handy. But form values are mostly annoying with AJAX POST requests for which everybody has his personal hack [1]. BTw. it's actually the default method in both Rails and the Django communities. And surprise, surprise, even Horizon does that: % grep -r csrf_token . --exclude-dir=.venv --exclude-dir=.tox ./horizon/templates/horizon/common/_workflow.html: