#24496: Check CSRF Referer against CSRF_COOKIE_DOMAIN
------------------------------+--------------------------------------
Reporter: mattrobenolt | Owner: nobody
Type: New feature | Status: new
Component: CSRF | Version: master
Severity: Normal | Resolution:
Keywords: csrf | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Comment (by carljm):
Tim, the "we want to be more strict" is something Django already
implements (checking `REFERER` against the request host on an HTTPS
request). Matt's feature request is for that check to be against
`CSRF_COOKIE_DOMAIN` rather than the request host, to allow for cross-
subdomain requests. I think this is reasonable, and probably the way it
should have worked from the beginning.
--
Ticket URL: <https://code.djangoproject.com/ticket/24496#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/070.80331310a12588871604f3ab6ca9af44%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
