#24496: Check CSRF Referer against CSRF_TRUSTED_ORIGINS
------------------------------+------------------------------------
Reporter: mattrobenolt | Owner: joshkehn
Type: New feature | Status: assigned
Component: CSRF | Version: master
Severity: Normal | Resolution:
Keywords: csrf | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Comment (by carljm):
The new patch looks good, thanks Josh! After giving it some more thought
overnight, I think we should actually combine the two proposed patches for
this ticket. `CSRF_TRUSTED_ORIGINS` is broader in scope for true cross-
origin requests from different domains, but using `CSRF_COOKIE_DOMAIN` as
the default (if set) is just sensible, and easier if you have quite a few
subdomains that should all be trusted (since we don't have any sort of
wildcarding in `CSRF_TRUSTED_ORIGINS`).
--
Ticket URL: <https://code.djangoproject.com/ticket/24496#comment:15>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/070.6626dc74d5f7a91c30529ac9fc9e3af4%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
