> I had forgot about the Referer header check. It seems that it > would stop the subdomain-to-subdomain CSRF attacks as long as > the site is only using HTTPS, wouldn't it?
Yep. I think the balance there makes sense. It would be nice to figure out a good way to do optional checking for non-HTTPS, but really, everyone should be using HTTPS. -Paul -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
