Is this related or duplicate to https://code.djangoproject.com/ticket/24496? That ticket has a patch that got stalled a bit, but might be worth reviving first in case this new one causes it to go stale.
On Monday, August 31, 2015 at 1:37:45 PM UTC-4, Joshua Kehn wrote: > > On 31 Aug 2015, at 13:25, Carl Meyer wrote: > > A couple follow-up thoughts: > > On 08/31/2015 11:22 AM, Joshua Kehn wrote: > > On 31 Aug 2015, at 13:21, Carl Meyer wrote: > I think it would make sense to just add a |CSRF_ALLOWED_REFERERS| > setting, defaulting to |None| (which would give the current behavior of > requiring a match with the |Host| header). If set, it would be a list of > valid referer hosts. Documentation needs to be extremely clear that you > should only include hosts that are under your control, or you trust > completely, to this setting. > > 1) Maybe CSRF_TRUSTED_REFERERS is a better name, to emphasize the > implied trust. > > That name does sound better. > > 2) If it's set, a match with the Host header (or maybe with any host in > ALLOWED_HOSTS) should still be allowed, so you aren't forced to > duplicate ALLOWED_HOSTS inside CSRF_TRUSTED_REFERERS. > > So the check here would look something like (excuse any typos, I'm not > writing this in an editor): > > allowed_hosts = list(settings.ALLOWED_HOSTS) + > list(settings.CSRF_TRUSTED_REFERERS) > if "*" in allowed_hosts: > # Skip further checks since Django has been configured to allow any host. > else: > good_referers = ["https://{0}".format(host) for host in allowed_hosts] > if not any([same_origin(referer, good_referer) for good_referer in > good_referers]): > # Reject CSRF referer mismatch > > I would imagine that the "*" host would be allowed in > CSRF_TRUSTED_REFERERS just like it is in ALLOWED_HOSTS? > > The next thought would be a separate extension but worth explorting: > Should Django then enforce CSRF referrer checks outside of secure requests > if we have a setting specifically for it? > > --jk > ------------------------------ > > me <http://kehn.us> | @joshkehn <https://twitter.com/joshkehn> > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/f9ed52f3-28a1-4918-a62f-a76fba06e3b5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
