Re: GSoC 2012: Security Enhancements

2012-04-23 Thread Paul McMillan
On Wed, Apr 18, 2012 at 3:50 PM, Luke Plant wrote: > One query: are you sure it is harder to manipulate? In particular, I > remember from a while back that Flash allowed some headers to be > manipulated, which caused problems, and they fixed it by blacklisting > some

Re: GSoC 2012: Security Enhancements

2012-04-20 Thread Rohan Jain
On 16:03 +0100 / 18 Apr, Luke Plant wrote: > On 15/04/12 05:23, Rohan Jain wrote: > > On 22:50 +0100 / 13 Apr, Luke Plant wrote: > >> The reason for the strict referer checking under HTTPS is set out here: > >> > >> https://code.djangoproject.com/wiki/CsrfProtection > >> > >> Particularly, it is

Re: GSoC 2012: Security Enhancements

2012-04-19 Thread Rohan Jain
I hosted a simple app which responds with the request details for testing purposes: https://request-mirror.herokuapp.com/ (source: https://github.com/crodjer/request-mirror) On 12:05 -0700 / 18 Apr, Paul McMillan wrote: > There seems to be some confusion about CORS (a hairy draft spec that > is

Re: GSoC 2012: Security Enhancements

2012-04-18 Thread Luke Plant
On 18/04/12 20:05, Paul McMillan wrote: > My suggestion here is to include optional support for the Origin > header as follows: > - if present and null, fail the CSRF check > - if present and not null, use in alongside the Referer header > - if absent, keep current behavior > > As a general

Re: GSoC 2012: Security Enhancements

2012-04-18 Thread Paul McMillan
There seems to be some confusion about CORS (a hairy draft spec that is not fully implemented in any browser, and not appropriate for inclusion in Django at this time) and the "Origin" header (aka Web Origin, rfc6454). http://tools.ietf.org/html/rfc6454 https://wiki.mozilla.org/Security/Origin

Re: GSoC 2012: Security Enhancements

2012-04-18 Thread Luke Plant
Sorry to reply twice, a comment on a different part: On 15/04/12 05:23, Rohan Jain wrote: > On 22:50 +0100 / 13 Apr, Luke Plant wrote: >> .. At the moment, it seems that few browsers send the >> 'Origin' header for normal HTML requests. (Recent versions of Chrome, >> Firefox and Opera do not, I

Re: GSoC 2012: Security Enhancements

2012-04-18 Thread Luke Plant
On 15/04/12 05:23, Rohan Jain wrote: > On 22:50 +0100 / 13 Apr, Luke Plant wrote: >> The reason for the strict referer checking under HTTPS is set out here: >> >> https://code.djangoproject.com/wiki/CsrfProtection >> >> Particularly, it is to fix the 'CSRF + MITM' attack that is possible >> under

Re: GSoC 2012: Security Enhancements

2012-04-14 Thread Rohan Jain
On 22:50 +0100 / 13 Apr, Luke Plant wrote: > Hi Rohan, > > Sorry for the slow reply on this one, I've had a busy time recently. > Please see my comments on some parts of this proposal. No worries about this. > > On 31/03/12 19:10, Rohan Jain wrote: > > Hi, > > > > I am Rohan Jain, a 4th

Re: GSoC 2012: Security Enhancements

2012-04-13 Thread Luke Plant
Hi Rohan, Sorry for the slow reply on this one, I've had a busy time recently. Please see my comments on some parts of this proposal. On 31/03/12 19:10, Rohan Jain wrote: > Hi, > > I am Rohan Jain, a 4th (final) year B.Tech undergraduate Student from > Indian Institute of Technology, Kharagpur.

Re: GSoC 2012: Security Enhancements

2012-04-06 Thread Rohan Jain
Hi Russel, That is a good news for me. I have added a timeline and posted it over melange. Public Gist for the same: https://gist.github.com/2203174 -- Rohan On 16:14 +0800 / 6 Apr, Russell Keith-Magee wrote: > > On 06/04/2012, at 3:54 PM, Rohan Jain wrote: > > > Hi Russel, > > > > Thanks

Re: GSoC 2012: Security Enhancements

2012-04-06 Thread Russell Keith-Magee
On 06/04/2012, at 3:54 PM, Rohan Jain wrote: > Hi Russel, > > Thanks for the reply. > > On 14:42 +0800 / 6 Apr, Russell Keith-Magee wrote: >> >> Hi Rohan, >> >> Apologies for the lack of response. Anyone who has put effort into writing >> up a proposal certainly deserves a response of some

Re: GSoC 2012: Security Enhancements

2012-04-06 Thread Rohan Jain
Hi Russel, Thanks for the reply. On 14:42 +0800 / 6 Apr, Russell Keith-Magee wrote: > > Hi Rohan, > > Apologies for the lack of response. Anyone who has put effort into writing up > a proposal certainly deserves a response of some kind, so we've dropped the > ball here. > > In our defence,

Re: GSoC 2012: Security Enhancements

2012-04-06 Thread Russell Keith-Magee
Hi Rohan, Apologies for the lack of response. Anyone who has put effort into writing up a proposal certainly deserves a response of some kind, so we've dropped the ball here. In our defence, here's a couple of the reasons why your proposal probably hasn't got a wild response: * You've

Re: GSoC 2012: Security Enhancements

2012-04-06 Thread Rohan Jain
Hi again, I really couldn't understand the response this post has got. It deserved at least a little feedback, positive or negative. I guess I wont be submitting this over melange. Still, I have put some effort and research in the proposal. So if possible I would like to know if it had anything

GSoC 2012: Security Enhancements

2012-03-31 Thread Rohan Jain
Hi, I am Rohan Jain, a 4th (final) year B.Tech undergraduate Student from Indian Institute of Technology, Kharagpur. I have been using django since over a year and generally look into the code base to find about various implementations. I have made attempts to make some minor contributions and if