Re: [Django] #34855: Document CSRF_TRUSTED_ORIGINS relation to SECURE_PROXY_SSL_HEADER.

Mon, 30 Sep 2024 00:49:36 -0700 

#34855: Document CSRF_TRUSTED_ORIGINS relation to SECURE_PROXY_SSL_HEADER.
-------------------------------------+-------------------------------------
     Reporter:  jeroenmuller         |                    Owner:  nobody
         Type:                       |                   Status:  closed
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  4.2
     Severity:  Normal               |               Resolution:  wontfix
     Keywords:  CSRF                 |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by Klaas van Schelven):

 > When the CSRF origin check fails, the documentation points in the
 direction of adding that origin to CSRF_ALLOWED_ORIGINS. However, as far
 as I understand this should only be neccessary if there are actually
 cross-origin requests.

 I can second this:

 The documentation recommends this, as does "the internet" (top-voted
 answers on Stack Overflow), and pretty much everyone and their dog's blog.
 Rarely is there any mention that setting this should in fact only be
 required when you're doing anything cross-origin.

 > Using SECURE_PROXY_SSL_HEADER must be an informed decision as it may
 cause security issues.

 Yes. But: adding random stuff to `CSRF_ALLOWED_ORIGINS` should also be an
 informed decision.

 I found it useful to instead push to understanding the problem before
 proceeding, by getting
 [https://github.com/bugsink/verbose_csrf_middleware/blob/main/README.md
 more verbose error messages from your middleware]. Not the entire answer,
 but yet another puzzle piece.

 I'm not pushi
-- 
Ticket URL: <https://code.djangoproject.com/ticket/34855#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107019241e7e0ce-120bef5f-c4c7-481a-a1c2-7af9ece94a7b-000000%40eu-central-1.amazonses.com.

Reply via email to