Fixed #16847. Session Cookies now default to httponly = True.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17135 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-31 09:41:08 +00:00 · 2011-11-21 22:03:03 +00:00
parent 43c5d35315
commit 4d975b4f88
5 changed files with 40 additions and 12 deletions
--- a/docs/releases/1.4.txt
+++ b/docs/releases/1.4.txt
@@ -451,10 +451,10 @@ Minor features

 Django 1.4 also includes several smaller improvements worth noting:

-* A more usable stacktrace in the technical 500 page: frames in the stack
-  trace which reference Django's code are dimmed out, while frames in user
-  code are slightly emphasized. This change makes it easier to scan a stacktrace
-  for issues in user code.
+* A more usable stacktrace in the technical 500 page: frames in the
+  stack trace which reference Django's code are dimmed out, while
+  frames in user code are slightly emphasized. This change makes it
+  easier to scan a stacktrace for issues in user code.

 * :doc:`Tablespace support </topics/db/tablespaces>` in PostgreSQL.

@@ -498,6 +498,9 @@ Django 1.4 also includes several smaller improvements worth noting:
 * Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`
  command.

+* Changed the default value for ``httponly`` on session cookies to
+  ``True`` to help reduce the impact of potential XSS attacks.
+
 .. _backwards-incompatible-changes-1.4:

 Backwards incompatible changes in 1.4