#16870: CSRF too strict when no referer is present
--------------------------------------+------------------------------
Reporter: rtux | Owner: nobody
Type: Bug | Status: closed
Milestone: | Component: contrib.csrf
Version: 1.3 | Severity: Normal
Resolution: wontfix | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------+------------------------------
Changes (by PaulM):
* status: new => closed
* resolution: => wontfix
Comment:
This is intentional and is not likely to change. We are looking at adding
support for the Origin header, which has similar functionality, but we
will not remove the requirement entirely. We only require the referer
header in the case that you're coming from an SSL encrypted Django site
back to that same site, in which case the privacy implications of blocking
the header are pretty nonexistent.
Instead of blocking the header altogether, you might consider an addon
that does something more intelligent like blocking it only when moving
from one domain to another.
Unfortunately, this check is absolutely necessary for the security of
Django's CSRF protection. Without it, we can't prevent man-in-the-middle
attacks on SSL sites. We made the decision that preventing MITM was a more
valuable tradeoff than breaking sites for the small minority of users who
block the header in a fashion which does not improve privacy.
--
Ticket URL: <https://code.djangoproject.com/ticket/16870#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
