Improved release notes about session cookie httponly flag (#16847) per Luke's comments.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17140 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
98f5127fb8
commit
e13dc49053
|
@ -498,9 +498,6 @@ Django 1.4 also includes several smaller improvements worth noting:
|
|||
* Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`
|
||||
command.
|
||||
|
||||
* Changed the default value for ``httponly`` on session cookies to
|
||||
``True`` to help reduce the impact of potential XSS attacks.
|
||||
|
||||
* Changed the ``locmem`` cache backend to use
|
||||
``pickle.HIGHEST_PROTOCOL`` for better compatibility with the other
|
||||
cache backends.
|
||||
|
@ -948,3 +945,11 @@ Now, the flags are keyword arguments of :meth:`@register.filter
|
|||
return value
|
||||
|
||||
See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information.
|
||||
|
||||
Session cookies now have the ``httponly`` flag by default
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Session cookies now include the ``httponly`` attribute by default to
|
||||
help reduce the impact of potential XSS attacks. For strict backwards
|
||||
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in settings.
|
||||
|
||||
|
|
Loading…
Reference in New Issue