#24496: Check CSRF Referer against CSRF_TRUSTED_ORIGINS
------------------------------+------------------------------------
Reporter: mattrobenolt | Owner: joshkehn
Type: New feature | Status: assigned
Component: CSRF | Version: master
Severity: Normal | Resolution:
Keywords: csrf | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Comment (by carljm):
I think the logic should look more like "construct a list of valid
referers, where that list consists of X plus CSRF_TRUSTED_ORIGINS, where X
is CSRF_COOKIE_DOMAIN if set and otherwise request.get_host()".
In other words, it's basically the same logic as in your current PR,
except that if CSRF_COOKIE_DOMAIN is set, it replaces request.get_host()
entirely. But you'll also need the other changes in Matt's pull request in
order to get the correct host matching (where initial dot allows
subdomains).
I would probably start with Matt's PR and layer the addition of
CSRF_TRUSTED_ORIGINS on top of that.
We could even merge them as separate fixes? Maybe I was wrong to suggest
doing them both in this ticket.
--
Ticket URL: <https://code.djangoproject.com/ticket/24496#comment:18>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/070.714368951993606af054b116d1bc1adb%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
