Hello,
I'm wondering why django.template.context defines:
# We need the CSRF processor no matter what the user has in their settings,
# because otherwise it is a security vulnerability, and we can't afford to leave
# this to human error or failure to read migration instructions.
_builtin_context_processors = ('django.core.context_processors.csrf',)
and then forcibly prepends it to settings.TEMPLATE_CONTEXT_PROCESSORS.
If the template context processor was missing, {% csrf_token %} wouldn't output
anything in templates. Then it would be impossible to submit forms, but that
would be a bug.
The CSRF context processor even has a branch that returns NOTPROVIDED. {%
csrf_token %} specifically tests for this case and doesn't output anything when
it happens.
So I fail to find the security vulnerability the comment talks about. I didn't
find the answer in:
-
https://github.com/django/django/commit/8e70cef9b67433edd70935dcc30c621d1e7fc0a0
- https://code.djangoproject.com/ticket/9977
- https://code.djangoproject.com/wiki/CsrfProtection
Does anyone remembers the reasoning?
Thanks,
--
Aymeric.
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/9EFBA6B8-F6F3-4DD4-9911-2B13906BEC2C%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.
