At the moment you can perform cross-site request forgeries,
cross-site scripting and similar things on MediaGoblin pages.

Some things, like CSRF protection (`#361 </issues/361>`_), benefit
from the ability to uniformly call helpers before and after a
request is processed by the view. In the case of CSRF, we want to
confirm that the token matches before processing the view, and make
sure the token is set before delivering the response. Unlike WSGI
middleware, this sort of wrapping is an integral part of the
application.

Trying to access any Atom feed (e.g.
`http://mg.wandborg.se/u/joar/atom/ <http://mg.wandborg.se/u/joar/atom/>`_)
will raise an exception.

::

    ------------------------------------------------------------
    Error - <type 'exceptions.AttributeError'>: 'BaseResponse' object has no attribute 'vary'
    URL: http://mg.wandborg.se/u/joar/atom/
    File '/home/joar/mediagoblin/lib/python2.7/site-packages/Paste-1.7.5.1-py2.7.egg/paste/exceptions/errormiddleware.py', line 144 in __call__
      app_iter = self.application(environ, sr_checker)
    File '/home/joar/mediagoblin/lib/python2.7/site-packages/Paste-1.7.5.1-py2.7.egg/paste/urlmap.py', line 203 in __call__
      return app(environ, start_response)
    File '/home/joar/mediagoblin/lib/python2.7/site-packages/Beaker-1.6.1-py2.7.egg/beaker/middleware.py', line 155 in __call__
      return self.wrap_app(environ, session_start_response)
    File '/home/joar/mediagoblin/mediagoblin/app.py', line 175 in __call__
      m.process_response(request, response)
    File '/home/joar/mediagoblin/mediagoblin/middleware/csrf.py', line 101 in process_response
      response.vary = (response.vary or []) + ['Cookie']
    AttributeError: 'BaseResponse' object has no attribute 'vary'