On 08/31/2015 12:09 PM, Joshua Kehn wrote: > On 31 Aug 2015, at 14:02, Tim Graham wrote: > > Is this related or duplicate to > https://code.djangoproject.com/ticket/24496? > That ticket has a patch that got stalled a bit, but might be worth > reviving > first in case this new one causes it to go stale. > > Looks related. > > If we decide to go with Troy Grosfield's suggestion of adding a > CSRF_WHITELIST_ORIGINS setting (which I like), I can document that > instead. > > Sounds very similar to what we've discussed here.
Yes, CSRF_WHITELIST_ORIGINS is the same feature discussed here (but I think CSRF_TRUSTED_REFERERS -- or CSRF_TRUSTED_ORIGINS if we don't like reproducing the RFC-codified mis-spelling of "referrer" -- is a better name). This solution is more powerful than just using CSRF_COOKIE_DOMAIN, since it also allows for separate-domain CORS situations in addition to cross-subdomain requests. So I would consider this to be a good fix for #24496; I don't think we need another ticket. Carl -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/55E49BD3.4050605%40oddbird.net. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
