A couple follow-up thoughts: On 08/31/2015 11:22 AM, Joshua Kehn wrote: > On 31 Aug 2015, at 13:21, Carl Meyer wrote: > I think it would make sense to just add a |CSRF_ALLOWED_REFERERS| > setting, defaulting to |None| (which would give the current behavior of > requiring a match with the |Host| header). If set, it would be a list of > valid referer hosts. Documentation needs to be extremely clear that you > should only include hosts that are under your control, or you trust > completely, to this setting.
1) Maybe `CSRF_TRUSTED_REFERERS` is a better name, to emphasize the implied trust. 2) If it's set, a match with the Host header (or maybe with any host in `ALLOWED_HOSTS`) should still be allowed, so you aren't forced to duplicate `ALLOWED_HOSTS` inside `CSRF_TRUSTED_REFERERS`. Carl -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/55E48E0E.3020302%40oddbird.net. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
