id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
13849	CsrfViewMiddleware is too strict on referer checking for secure requests	Paul McLanahan	nobody	"In a project we'd like to have forms exist on an insecure page, but submit to a secure URL, and be CSRF protected using the middleware. This is currently impossible due to the middleware checking for ""https"" in the referer header for secure requests. I feel this is too strict and a check for the same host would be sufficient if any referer check is required at all. The comment in the code above these lines even suggests that the check may be too strict.

The lines to which I'm referring are 134 - 137 in `django/middleware/csrf.py`.

I'll be happy to provide a patch if a course of action is decided upon in the discussion."		closed	Core (Other)	1.2		wontfix	csrf		Unreviewed	0	0	0	0	0	0