Anyone else see a problem with that that I'm missing?
I think this sounds fine.
You up for filing a ticket and maybe a patch/pull-request too?
Absolutely.
Thanks
--jk
***
[me](http://kehn.us) | [@joshkehn](https://twitter.com/joshkehn)
On 31 Aug 2015, at 13:21, Carl Meyer wrote:
Hi Josh,
I think it would make sense to just add a `CSRF_ALLOWED_REFERERS`
setting, defaulting to `None` (which would give the current behavior
of
requiring a match with the `Host` header). If set, it would be a list
of
valid referer hosts. Documentation needs to be extremely clear that
you
should only include hosts that are under your control, or you trust
completely, to this setting.
Anyone else see a problem with that that I'm missing?
You up for filing a ticket and maybe a patch/pull-request too?
Carl
--
You received this message because you are subscribed to a topic in the
Google Groups "Django developers (Contributions to Django itself)"
group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/django-developers/eQeaNzSlSbw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
[email protected].
To post to this group, send email to
[email protected].
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/55E48D02.8000301%40oddbird.net.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django
developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/C181054B-2D7D-45DB-93DE-12EE20CC4C47%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
