> So what's the best way forward? I think you covered your options pretty well.
1) Set wsgi.url_scheme to "http" as origin checks are only done on https. 2) Set the pyramid.csrf_trusted_origins as you are doing now. 3) Disable csrf checking for your tests. I think it's just a helpful reminder that you would be wise to think about the origin header more these days as it's required by CORS requests and, of course, cross origin requests are the attack vector CSRF is helping to protect. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAKdhhwEQ6qYjdy7c%3D85c4-cM1YVXWimoL3kVEvvKV3oHzGJ4OA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
