#31823: Add Support for Fetch Metadata Request Headers
-------------------------------------+-------------------------------------
Reporter: | Owner: nobody
meggles711 |
Type: New | Status: new
feature |
Component: CSRF | Version: master
Severity: Normal | Keywords: CSRF, Fetch,
Triage Stage: | headers
Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
I would like to implement Fetch Metadata Request Headers as a new security
feature in Django.
== **What are Fetch Metadata Request Headers?**
Fetch metadata request headers are a relatively new security feature used
to protect against cross-origin request attacks like CSRF. Browsers that
support them provide request origin information to the web server inside
headers with every request. This information includes what site is making
the request, the mode or type of the request, and the destination of the
request. The information provided in the fetch metadata request headers
can be used to create a resource isolation policy that protects web
application users from cross-origin attacks.
== **Proposed Changes to Django**
New checks should be added to the CSRF middleware. Currently the
middleware will check the referer header as one method of determining
request validity. When the fetch metadata request headers are set, these
should be used for resource isolation checks instead. Otherwise, the
policy will fallback on validating with the referer header.
If the fetch metadata headers are set, this resource isolation policy is
followed:
Same-site and browser-initiated requests are allowed
Top level navigation (HTTP GET) is allowed
Developer defined endpoints that are meant to serve cross-site traffic are
allowed
Reject all other requests
After this policy is followed CSRF processing will continue as normal.
**Please provide me some feedback on this implementation plan and let me
know if you would like to see this new security feature in Django.**
--
Ticket URL: <https://code.djangoproject.com/ticket/31823>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/053.809111e0ec7e34042390ee6e47ecd9b6%40djangoproject.com.
