Re: [Django] #24496: Check CSRF Referer against CSRF_COOKIE_DOMAIN

Thu, 19 Mar 2015 09:37:01 -0700 

#24496: Check CSRF Referer against CSRF_COOKIE_DOMAIN
------------------------------+--------------------------------------
     Reporter:  mattrobenolt  |                    Owner:  nobody
         Type:  New feature   |                   Status:  new
    Component:  CSRF          |                  Version:  master
     Severity:  Normal        |               Resolution:
     Keywords:  csrf          |             Triage Stage:  Unreviewed
    Has patch:  1             |      Needs documentation:  0
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+--------------------------------------

Comment (by mattrobenolt):

 I think the comment in this file explains it best:
 {{{
 # Suppose user visits http://example.com/
 # An active network attacker (man-in-the-middle, MITM) sends a
 # POST form that targets https://example.com/detonate-bomb/ and
 # submits it via JavaScript.
 #
 # The attacker will need to provide a CSRF cookie and token, but
 # that's no problem for a MITM and the session-independent
 # nonce we're using. So the MITM can circumvent the CSRF
 # protection. This is true for any HTTP connection, but anyone
 # using HTTPS expects better! For this reason, for
 # https://example.com/ we need additional protection that treats
 # http://example.com/ as completely untrusted. Under HTTPS,
 # Barth et al. found that the Referer header is missing for
 # same-domain requests in only about 0.2% of cases or less, so
 # we can use strict Referer checking.
 }}}

 
https://github.com/django/django/blob/668d53cd125175eb708cc0af143f47b42cd42153/django/middleware/csrf.py#L135-L149

--
Ticket URL: <https://code.djangoproject.com/ticket/24496#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/070.8eedd766f5bf15294ad2921260485efd%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to