On Sat, 18 Aug 2018 21:27:02 +0200
Adam Johnson <
m...@adamj.eu> wrote:
> I'm not sure introducing this change because one analyzer tool
> currently picks up on the signal is a great reason, only a little bit
> of potential obscurity is gained. Especially since it's a problem for
> big sites deploying it, as Aymeric points out we'd need to write a
> shim.
>
+1.
On Sat, 18 Aug 2018 at 18:31, Aymeric Augustin
<
aymeric....@polytechnique.org> wrote:
> Perhaps we could reuse settings.CSRF_COOKIE_NAME there instead of the
> hardcoded "csrfmiddlewaretoken"? That would meet the stated goal
> without introducing a new setting. Also it feels sensible to me to
> use the same name for the input and the cookie.
This sort of reuse feels wrong to me -- if we do allow changing the
name, I'd be -0.5 on reusing the setting and tying these two names to
eachother.