Re: [Django] #30017: Django should assume port 443 for https in django.utils.http.is_same_domain()

[Django]

#30017: Django should assume port 443 for https in
django.utils.http.is_same_domain()
-----------------------------------+--------------------------------------
     Reporter:  Ruslan Dautkhanov  |                    Owner:  (none)
         Type:  Bug                |                   Status:  closed
    Component:  HTTP handling      |                  Version:  2.1
     Severity:  Normal             |               Resolution:  wontfix
     Keywords:                     |             Triage Stage:  Unreviewed
    Has patch:  0                  |      Needs documentation:  0
  Needs tests:  0                  |  Patch needs improvement:  0
Easy pickings:  0                  |                    UI/UX:  0
-----------------------------------+--------------------------------------
Changes (by Carlton Gibson):

 * status:  new => closed
 * resolution:   => wontfix


Comment:

 Please TicketClosingReasons/DontReopenTickets.

 I see three options here:

 1. Correct the Nginx config. This seems the obvious answer, the one on the
 Stack Overflow thread, and presumably you have no problem with it, since
 you think `web.site.com` and `web.site.com:443` are equivalent, so there's
 no harm dropping the `$server_port` bit.
 2. Add `web.site.com:443` to `CSRF_TRUSTED_ORIGINS`
 ([https://code.djangoproject.com/ticket/28488#comment:39 as others have
 done here]).
 3. **Add logic** examining the environment to infer the `443` port.

 I'm sure we could get 3 roughly right with some effort. But I'm equally
 sure that it would turn out to be wrong for someone's setup. Then we'd
 have to add edge-case handling and opt-outs and all the rest of it.

 In my view such things are **simply not worth the effort** when options 1
 and 2 are available. I suggest you take one of those.

 > I wish there would be a way to disable referer check altogether.

 You could always subclass the CSRF middleware. I wouldn't do that. (I'd go
 with option 1.)

-- 
Ticket URL: <https://code.djangoproject.com/ticket/30017#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.3de127de1386986e67e129321baa5349%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.