discrepancy in default CSRF settings
Erik Romijn
In order to enable CSRF protection, one needs to add the CsrfViewMiddleware to the middleware classes, and add the CSRF context processor to the context processors.
However, it seems that the defaults are to add the middleware, but not the context processor. Is there a specific reason for this?
After all, if we would not want to enable CSRF protection by default, we should include neither the middleware nor the context processor. If we do want it to be default, both should be included. The current defaults seem to be halfway between these options.
Should we not just add the CSRF context processor to the default context processors? Or is there an underlying reason to keep it out?
cheers,
Erik
mjl Martin J. Laubach
However, it seems that the defaults are to add the middleware, but not the context processor. Is there a specific reason for this?
In the corresponding view functions, ensure that the 'django.core.context_processors.csrf' context processor is being used. Usually, this can be done in one of two ways:
- Use RequestContext, which always uses 'django.core.context_processors.csrf' (no matter what your TEMPLATE_CONTEXT_PROCESSORS setting). [...]
Cheers,
mjl
Erik Romijn
On Apr 9, 2012, at 11:32 AM, mjl Martin J. Laubach wrote:
> In the corresponding view functions, ensure that the 'django.core.context_processors.csrf' context processor is being used. Usually, this can be done in one of two ways:
> • Use RequestContext, which always uses 'django.core.context_processors.csrf' (no matter what your TEMPLATE_CONTEXT_PROCESSORS setting). [...]
Thanks for pointing that out you're absolutely right. Not sure how I managed to misread that every time :)
cheers,
Erik