#16859: CSRF Improvements
-------------------------------------+-------------------------------------
Reporter: Paul McMillan | Owner: Paul
Type: | McMillan
Cleanup/optimization | Status: new
Component: CSRF | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Ed Morley):
Currently the CSRF middleware performs strict `Referer` header checking,
to (a) mitigate MITM attacks that set a cookie via plain HTTP, and (b)
prevent issues with malicious subdomains.
If the new `CSRF_USE_SESSIONS` is set to `True`, does that mean both of
those issues can no longer occur, and so the strict referrer checking is
then not required? (Along the lines of:
https://github.com/django/django/pull/5600#issuecomment-154797097)
--
Ticket URL: <https://code.djangoproject.com/ticket/16859#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/063.a553b93ead7a44c0e743b63761cef9d0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
