On Mon, Sep 25, 2017 at 5:47 PM, Michael Merickel <[email protected]> wrote: >> So what's the best way forward? > > I think you covered your options pretty well. > > 1) Set wsgi.url_scheme to "http" as origin checks are only done on https. > 2) Set the pyramid.csrf_trusted_origins as you are doing now. > 3) Disable csrf checking for your tests. > > I think it's just a helpful reminder that you would be wise to think about > the origin header more these days as it's required by CORS requests and, of > course, cross origin requests are the attack vector CSRF is helping to > protect.
It sounds like it needs documentation then. What is the Origin header and shouldn't Pyramid/WebOb set it automatically if it's becoming more important? #1 and #3 would make the test environment different from the real environment. #2 raises the question of what is WebTest's Origin header, what should it be, why are they different, and does something need to be changed in the library? -- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DuoOSNZKiSfTfabHevOE_p53Q8XL-UHbjxsdT6qSec7xkQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
