On 2 Dec 2013, at 03:42, Egor Homakov <[email protected]> wrote: > What I actually want is to make people understand and check if they have this > problem. Deprecation is on of the means to do it.
No, it isn't. Deprecation means we intend to remove that feature in the next major release, which we don't want to do. Single-page apps maybe the latest hotness but that doesn't invalidate the previous two decades of web development. We didn't remove forms when CSRF attacks were developed, we developed protections against them. This is exactly the same scenario - we need to develop useful, easy to use protections that we can enable by default. Egor, can you clarify one point for me - you mention that JS templates allow stealing of the CRSF token if they return a form, but surely that would true even for HTML templates? Andrew -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
