On 08/31/2015 11:37 AM, Joshua Kehn wrote: > 2) If it's set, a match with the Host header (or maybe with any host in > |ALLOWED_HOSTS|) should still be allowed, so you aren't forced to > duplicate |ALLOWED_HOSTS| inside |CSRF_TRUSTED_REFERERS|. > > So the check here would look something like (excuse any typos, I'm not > writing this in an editor): > > |allowed_hosts = list(settings.ALLOWED_HOSTS) + > list(settings.CSRF_TRUSTED_REFERERS) if "*" in allowed_hosts: # Skip > further checks since Django has been configured to allow any host. else: > good_referers = ["https://{0}".format(host) for host in allowed_hosts] > if not any([same_origin(referer, good_referer) for good_referer in > good_referers]): # Reject CSRF referer mismatch | > > I would imagine that the |"*"| host would be allowed in > |CSRF_TRUSTED_REFERERS| just like it is in |ALLOWED_HOSTS|?
No, I don't think `*` should be allowed in `CSRF_TRUSTED_REFERERS`; I don't think there is any scenario in which that is a safe or reasonable configuration. And I think that the fact that it's allowed in `ALLOWED_HOSTS` might be a reason to just stick to "Host header or CSRF_TRUSTED_REFERERS", and leave ALLOWED_HOSTS out of it. > The next thought would be a separate extension but worth explorting: > Should Django then enforce CSRF referrer checks outside of secure > requests if we have a setting specifically for it? No, that would be a backwards-incompatible change, and the REFERER check offers zero additional security in the HTTP case, because HTTP is wide-open to MITM attacks regardless. Carl -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/55E49551.7030402%40oddbird.net. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
