If we add Origin checking, could we then allow a missing referrer and token? (check referrer and token if no origin header)
On Tuesday, February 3, 2015 at 5:15:08 PM UTC-5, Paul McMillan wrote: > > The referer check is primarily there to help make users who choose not > to use HSTS safer. > > Without HSTS, a mitm can set CSRF cookies (e.g. by serving an HTTP > page emulating your domain in an iframe on a different unencrypted > page, even if you only ever serve your own page from HTTPS), and then > post (from wherever) to your secured page. By forcing the post to come > from the same domain, we've made this attack significantly less > convenient. > > I agree that it's really unfortunate that we don't have a better > mechanism for this in the browsers, but this still seems to be the > best tradeoff we have right now. > > -Paul > > > On Tue, Feb 3, 2015 at 9:43 PM, Jon Dufresne <[email protected] > <javascript:>> wrote: > > On Tue, Feb 3, 2015 at 11:52 AM, Aymeric Augustin > > <[email protected] <javascript:>> wrote: > >> You can fix that problem by saving some authentication info in the > user's session, most likely with a custom auth backend — see django-sesame > for an example of how to do this. Then redirect immediately to an URL that > doesn't contain the nonce. Of course all this must happen over HTTPS to > reduce the likelihood of leaving the nonce in the logs of various caches or > reverse proxies. > > > > My application is 100% over HTTPS, HTTP traffic is not allowed. > > > > Thanks for these pointers. This may not work exactly for me, but it > > certainly is something interesting to think about. I'll look into it > > more. > > > > -- > > You received this message because you are subscribed to the Google > Groups "Django developers (Contributions to Django itself)" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > To post to this group, send email to [email protected] > <javascript:>. > > Visit this group at http://groups.google.com/group/django-developers. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CADhq2b6SXqY78qiNdB7BkAQUcBHzAFUON%3DY69mEddu6Q55SWdg%40mail.gmail.com. > > > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/5010287a-f16e-4016-bcd5-4d5940eaf7d1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
