Hi Josh, I think it would make sense to just add a `CSRF_ALLOWED_REFERERS` setting, defaulting to `None` (which would give the current behavior of requiring a match with the `Host` header). If set, it would be a list of valid referer hosts. Documentation needs to be extremely clear that you should only include hosts that are under your control, or you trust completely, to this setting.
Anyone else see a problem with that that I'm missing? You up for filing a ticket and maybe a patch/pull-request too? Carl -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/55E48D02.8000301%40oddbird.net. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
