On Mon, Sep 25, 2017 at 9:00 PM, Mike Orr <[email protected]> wrote: > On Mon, Sep 25, 2017 at 5:47 PM, Michael Merickel <[email protected]> wrote: >>> So what's the best way forward? >> >> I think you covered your options pretty well. >> >> 1) Set wsgi.url_scheme to "http" as origin checks are only done on https. >> 2) Set the pyramid.csrf_trusted_origins as you are doing now. >> 3) Disable csrf checking for your tests. >> >> I think it's just a helpful reminder that you would be wise to think about >> the origin header more these days as it's required by CORS requests and, of >> course, cross origin requests are the attack vector CSRF is helping to >> protect. > > It sounds like it needs documentation then. What is the Origin header > and shouldn't Pyramid/WebOb set it automatically if it's becoming more > important? > > #1 and #3 would make the test environment different from the real > environment. #2 raises the question of what is WebTest's Origin > header, what should it be, why are they different, and does something > need to be changed in the library?
I guess the solution is #1, to roll back the HTTPS, because there is no HTTPS because there's no network server. That in turn will require a configuration that doesn't make the cookies HTTPS-only. > > -- > Mike Orr <[email protected]> -- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DurBn_JKGQQF6jPdCiZTGMm2jK7pc3Qr07NJtTEUT86amQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
