On 31 Aug 2015, at 13:56, Carl Meyer wrote: > No, I don't think `*` should be allowed in `CSRF_TRUSTED_REFERERS`; I > don't think there is any scenario in which that is a safe or reasonable > configuration. > > And I think that the fact that it's allowed in `ALLOWED_HOSTS` might be > a reason to just stick to "Host header or CSRF_TRUSTED_REFERERS", and > leave ALLOWED_HOSTS out of it.
I would agree. I'll draft a ticket and post here once I have. > No, that would be a backwards-incompatible change, and the REFERER check > offers zero additional security in the HTTP case, because HTTP is > wide-open to MITM attacks regardless. > Good points, agreed. I'll get the ticket in and work on a patch later today for review Thanks --jk *** [me](http://kehn.us) | [@joshkehn](https://twitter.com/joshkehn) -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/B66A3D89-FCA5-4541-82E1-7A3A0C646C1F%40gmail.com. For more options, visit https://groups.google.com/d/optout.
