#30017: Django should assume port 443 for https in
django.utils.http.is_same_domain()
-----------------------------------+--------------------------------------
Reporter: Ruslan Dautkhanov | Owner: (none)
Type: Bug | Status: new
Component: HTTP handling | Version: 2.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+--------------------------------------
Changes (by Ruslan Dautkhanov):
* status: closed => new
* resolution: wontfix =>
Comment:
As I mentioned on SO, we use Django as part of Cloudera Hue product
https://github.com/cloudera/hue
and there is no way to inject Django configs like `ALLOWED_HOSTS` and/or
`CSRF_TRUSTED_ORIGINS` there.
Anyway, this would be a workaround for this problem, not a solution.
> infer the 443 but we're making assumptions in doing so
Port 443 is not an assumption, but part of Internet Standard RFC-2818
https://tools.ietf.org/html/rfc2818
> the default port is 443
All browsers for example, when you type in https://abc.com "assume" same
thing unless port is given,
and they "assume" port 80 when you specify `http://` - because it's part
of Internet Standard.
> Neither the Host nor the `X-Forwarded-Host` include the scheme right?
> As such it's just not right to say that `web.site.com` and
`web.site.com:443` are the same.
Not quite right. Django has `X-Forwarded-Proto` header and it knows that
it's `https` and not `http`.
That's my last attempt to reopen this ticket. Thanks for the feedback, but
I believe this
is a real problem in Django.
Moreover, not sure why Django is making a big deal from `Referer` check?
It's not a real security as `Referer` header can be easily spoofed
https://security.stackexchange.com/questions/66165/does-referrer-header-
checking-offer-any-real-world-security-improvement
I wish there would be a way to disable referer check altogether.
Thanks again.
--
Ticket URL: <https://code.djangoproject.com/ticket/30017#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/063.1648c9ffa4feadd01984705f4a4d3b4e%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
