#30017: Django should assume port 443 for https in
django.utils.http.is_same_domain()
-----------------------------------------+------------------------
               Reporter:  Tagar          |          Owner:  nobody
                   Type:  Bug            |         Status:  new
              Component:  HTTP handling  |        Version:  2.1
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------
 More complete explanation posted here -
 https://stackoverflow.com/questions/53658795/django-how-to-disable-
 referer-check

 the issue is probably in Django code here:
 
https://github.com/django/django/blob/22e8ab02863819093832de9f771bf40a62a6bd4a/django/middleware/csrf.py#L280

 referer variable there is a urlparse object (see
 https://docs.python.org/3/library/urllib.parse.html ) which contains
 "netloc" property with a port.

 Notice the error again - netlocs don't match because one has a port (443)
 and another doesn't have it (443 port is default for https):

 Referer checking failed -

 https://hue-dev.discover.abc.com/hue/accounts/login/?next=/
 does not match
 https://hue-dev.discover.abc.com:443/.

 so I guess it should be some sort of Referer field transformation made in
 nginx config to cut out 443 port explicitly (or add it).

 Referer check is failing because django.utils.http.is_same_domain() takes
 into account port
 (in referer.netloc ).

 Django should assume that port 443 is default for httpS, and not fail
 Referer check in this case.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/30017>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/048.f440456c1c910347848b4cf27d958de1%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to