On 2013-08-08 09:59, Collin Anderson wrote: >> I am doing something a little different with my CSRF tokens, and >> I believe it guards against BREACH. > > Instead of sending the token in the HTTP response, I am using > javascript to read (and generate if needed) the CSRF token cookie. > The javascript reads the token from the cookie and adds it as a > hidden field to any forms that need it on the page. > > This also has two bonus benefits:
but also has the downside that it doesn't work if JS is disabled. You may or may not care, but it's at least something to consider (JS-free interactions may come from older devices, or from testing tools, etc; so I've found enough benefit to code for JS-free and then add in additional functionality). -tkc -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
