1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
What's new in Tornado 3.2.2
===========================
June 3, 2014
------------
Security fixes
~~~~~~~~~~~~~~
* The XSRF token is now encoded with a random mask on each request.
This makes it safe to include in compressed pages without being
vulnerable to the `BREACH attack <http://breachattack.com>`_.
This applies to most applications that use both the ``xsrf_cookies``
and ``gzip`` options (or have gzip applied by a proxy).
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* If Tornado 3.2.2 is run at the same time as older versions on the same
domain, there is some potential for issues with the differing cookie
versions. The `.Application` setting ``xsrf_cookie_version=1`` can
be used for a transitional period to generate the older cookie format
on newer servers.
Other changes
~~~~~~~~~~~~~
* ``tornado.platform.asyncio`` is now compatible with ``trollius`` version 0.3.
|
