id,node_id,number,title,user,state,locked,assignee,milestone,comments,created_at,updated_at,closed_at,author_association,pull_request,body,repo,type,active_lock_reason,performed_via_github_app,reactions,draft,state_reason
647879783,MDU6SXNzdWU2NDc4Nzk3ODM=,876,Add log out link to the pattern portfolio,9599,closed,0,,5533512,1,2020-06-30T05:42:15Z,2020-06-30T23:50:04Z,2020-06-30T23:47:31Z,OWNER,,Follows #875,107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/876/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
648421105,MDU6SXNzdWU2NDg0MjExMDU=,877,Consider dropping explicit CSRF protection entirely?,9599,closed,0,,,9,2020-06-30T19:00:55Z,2020-09-15T20:42:05Z,2020-09-15T20:42:04Z,OWNER,,"https://scotthelme.co.uk/csrf-is-dead/ from Feb 2017 has background here. The `SameSite=lax` cookie property effectively eliminates CSRF in modern browsers. https://caniuse.com/#search=SameSite shows 92.13% global support for it.

Datasette already uses `SameSite=lax` when it sets cookies by default: https://github.com/simonw/datasette/blob/af350ba4571b8e3f9708c40f2ddb48fea7ac1084/datasette/utils/asgi.py#L327-L341

A few options then. I could ditch CSRF protection entirely. I could make it optional - turn it off by default, but let users who care about that remaining 7.87% of global users opt back into it.

One catch: login CSRF: I don't see how `SameSite=lax` protects against that attack.",107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/877/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
648435885,MDU6SXNzdWU2NDg0MzU4ODU=,878,"New pattern for views that return either JSON or HTML, available for plugins",9599,open,0,,3268330,26,2020-06-30T19:26:13Z,2022-03-19T16:19:30Z,,OWNER,,"Can be part of #870 - refactoring existing views to use `register_routes()`.

> I'm going to put the new `check_permissions()` method on `BaseView` as well. If I want that method to be available to plugins I can do so by turning that `BaseView` class into a documented API that plugins are encouraged to use themselves.
_Originally posted by @simonw in https://github.com/simonw/datasette/issues/832#issuecomment-651995453_",107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/878/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,
648569227,MDU6SXNzdWU2NDg1NjkyMjc=,879,Database page documentation still talks about hashes in URLs,9599,closed,0,,5533512,1,2020-06-30T23:43:17Z,2020-06-30T23:48:06Z,2020-06-30T23:45:42Z,OWNER,,"https://datasette.readthedocs.io/en/0.44/pages.html

> Note that these URLs end in a 7 character hash. This hash is derived from the contents of the database, and ensures that each URL is immutable: the data returned from a URL containing the hash will always be the same, since if the contents of the database file changes by even a single byte a new hash will be generated.

This isn't accurate any more - that's not default behaviour, and it may be removed entirely in #647.",107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/879/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed