Archives Dec. 13, 2013

Django CSRF explicitly doesn't trust HTTP when submitting to HTTPS

I managed to introduce a wonderful little bug in the Django blog site here. I wanted all contributors (those making comments and myself) to use HTTPS, but I didn't want to rewrite the templates for the Zinnia blog entries, so I just naively redirected the comments form to the HTTPS site. CSRF protection in Django explicitly does not allow HTTP-to-HTTPS posts (which is a good thing, in general, as it prevents someone rewriting the post on the fly). Oops. For now I've made the comments form post to the same protocol you're using to browse. It's ...

Continue reading

Previous day

Dec. 6, 2013

Next day

Jan. 20, 2014