Commit e13dc490 authored by Paul McMillan's avatar Paul McMillan
Browse files

Improved release notes about session cookie httponly flag (#16847) per Luke's comments. 


git-svn-id: http://code.djangoproject.com/svn/django/trunk@17140 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 98f5127f

docs/releases/1.4.txt

+8 −3
Original line number Diff line number Diff line
@@ -498,9 +498,6 @@ Django 1.4 also includes several smaller improvements worth noting: 
* Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`

  command.



* Changed the default value for ``httponly`` on session cookies to

  ``True`` to help reduce the impact of potential XSS attacks.



* Changed the ``locmem`` cache backend to use

  ``pickle.HIGHEST_PROTOCOL`` for better compatibility with the other

  cache backends.
@@ -948,3 +945,11 @@ Now, the flags are keyword arguments of :meth:`@register.filter 
        return value



See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information.



Session cookies now have the ``httponly`` flag by default

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Session cookies now include the ``httponly`` attribute by default to

help reduce the impact of potential XSS attacks. For strict backwards

compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in settings.