> The applications I have in mind (where the "subdomain can set cookies > for other subdomains" could hurt) use django.contrib.auth and thus > sessions as well. Thus, they already have to do a session lookup for the > auth check, haven't they? Could that be reused for the CSRF check?
Yes. Unfortunately, the cookie model (and thus your browser) are not really designed to protect you in this situation. We work around it as best we can, but it's an uphill struggle. Yes, it's very possible to tie CSRF to sessions, and the new signing bits make that even better. Django doesn't currently support this feature out of the box, and is unlikely to do so in 1.4. I've put some thought into the design for this, but it's not something I want to rush into, and it's not something that is easy to just tell someone else how to do and let them go implement it. I don't have the time to really turn this into a solid feature before we freeze 1.4. In the meantime, if you use SSL on each of your subdomains, you get strict checking of the Referer header for CSRF, which mitigates that particular avenue of attack. Since you're using sessions and auth, you should be using SSL, and so the protection is mostly free. > Just so I am not missing a class of attacks here: how important is CSRF > protection for non-session applications? I have always viewed CSRF > chiefly as an attack where you try to fool somebody who is authenticated > (and therefore has privileges in the system) to ask the system to > do a bad thing by doing the cross-site POST. Those are the worst sorts of CSRF. CSRF protection also helps prevent spamming, and can discourage reflected DoS attacks. Additionally, CSRF protection can help mitigate the effects of XSS in some cases. > If you would like help with testing etc for this, I hope I can offer > some time. Thanks, I'll take you up on that when I do get a chance to start drafting things. I went ahead and created #16859 to help keep track of these issues. https://code.djangoproject.com/ticket/16859 -Paul -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
