mirror of https://github.com/django/django.git
Fixed #17766. Clarified HttpOnly flag on session cookie.
Thanks ptone for the patch! git-svn-id: http://code.djangoproject.com/svn/django/trunk@17618 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
60119d4f49
commit
2a4e49595a
|
@ -1112,8 +1112,11 @@ Session cookies now have the ``httponly`` flag by default
|
|||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Session cookies now include the ``httponly`` attribute by default to
|
||||
help reduce the impact of potential XSS attacks. For strict backwards
|
||||
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
|
||||
help reduce the impact of potential XSS attacks. As a consequence of
|
||||
this change, session cookie data, including sessionid, is no longer
|
||||
accessible from Javascript in many browsers. For strict backwards
|
||||
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your
|
||||
settings file.
|
||||
|
||||
Wildcard expansion of application names in `INSTALLED_APPS`
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
|
|
@ -998,8 +998,11 @@ Session cookies now have the ``httponly`` flag by default
|
|||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Session cookies now include the ``httponly`` attribute by default to
|
||||
help reduce the impact of potential XSS attacks. For strict backwards
|
||||
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
|
||||
help reduce the impact of potential XSS attacks. As a consequence of
|
||||
this change, session cookie data, including sessionid, is no longer
|
||||
accessible from Javascript in many browsers. For strict backwards
|
||||
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your
|
||||
settings file.
|
||||
|
||||
The :tfilter:`urlize` filter no longer escapes every URL
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
|
Loading…
Reference in New Issue