What's new in Tornado 3.2.2
===========================

June 3, 2014
------------

Security fixes
~~~~~~~~~~~~~~

* The XSRF token is now encoded with a random mask on each request.
  This makes it safe to include in compressed pages without being
  vulnerable to the `BREACH attack <http://breachattack.com>`_.
  This applies to most applications that use both the ``xsrf_cookies``
  and ``gzip`` options (or have gzip applied by a proxy).

Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* If Tornado 3.2.2 is run at the same time as older versions on the same
  domain, there is some potential for issues with the differing cookie
  versions.  The `.Application` setting ``xsrf_cookie_version=1`` can
  be used for a transitional period to generate the older cookie format
  on newer servers.

Other changes
~~~~~~~~~~~~~

* ``tornado.platform.asyncio`` is now compatible with ``trollius`` version 0.3.