On 31 Aug 2015, at 13:25, Carl Meyer wrote:
A couple follow-up thoughts:
On 08/31/2015 11:22 AM, Joshua Kehn wrote:
On 31 Aug 2015, at 13:21, Carl Meyer wrote:
I think it would make sense to just add a |CSRF_ALLOWED_REFERERS|
setting, defaulting to |None| (which would give the current behavior
of
requiring a match with the |Host| header). If set, it would be a
list of
valid referer hosts. Documentation needs to be extremely clear that
you
should only include hosts that are under your control, or you trust
completely, to this setting.
1) Maybe `CSRF_TRUSTED_REFERERS` is a better name, to emphasize the
implied trust.
That name does sound better.
2) If it's set, a match with the Host header (or maybe with any host
in
`ALLOWED_HOSTS`) should still be allowed, so you aren't forced to
duplicate `ALLOWED_HOSTS` inside `CSRF_TRUSTED_REFERERS`.
So the check here would look something like (excuse any typos, I'm not
writing this in an editor):
```
allowed_hosts = list(settings.ALLOWED_HOSTS) +
list(settings.CSRF_TRUSTED_REFERERS)
if "*" in allowed_hosts:
# Skip further checks since Django has been configured to allow any
host.
else:
good_referers = ["https://{0}".format(host) for host in allowed_hosts]
if not any([same_origin(referer, good_referer) for good_referer in
good_referers]):
# Reject CSRF referer mismatch
```
I would imagine that the `"*"` host would be allowed in
`CSRF_TRUSTED_REFERERS` just like it is in `ALLOWED_HOSTS`?
The next thought would be a separate extension but worth explorting:
Should Django then enforce CSRF referrer checks outside of secure
requests if we have a setting specifically for it?
--jk
***
[me](http://kehn.us) | [@joshkehn](https://twitter.com/joshkehn)
--
You received this message because you are subscribed to the Google Groups "Django
developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/6F8CD7D1-DD97-4CF2-BC80-78C7C589EC9B%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
