id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
32579	Two outdated code comments in CsrfViewMiddleware.process_view()	Chris Jerdonek	Chris Jerdonek	"I noticed that a couple code comments in `CsrfViewMiddleware.process_view()` are outdated:

First, there's this one:
https://github.com/django/django/blob/41e6b2a3c5e723256506b9ff49437d52a1f3bf43/django/middleware/csrf.py#L333-L334
which wasn't updated here:
https://github.com/django/django/commit/b0c56b895fd2694d7f5d4595bdbbc41916607f45

There's also this one:
https://github.com/django/django/blob/41e6b2a3c5e723256506b9ff49437d52a1f3bf43/django/middleware/csrf.py#L314-L316
which wasn't updated quite correctly here:
https://github.com/django/django/commit/ddf169cdaca91e92dd5bfe6796bb6f38369ecb68

Something like this would be better for the second one:

{{{
- # If there isn't a CSRF_COOKIE_DOMAIN, require an exact match
- # match on host:port. If not, obey the cookie rules (or those
- # for the session cookie, if CSRF_USE_SESSIONS).
  good_referer = (
      settings.SESSION_COOKIE_DOMAIN
      if settings.CSRF_USE_SESSIONS
      else settings.CSRF_COOKIE_DOMAIN
  )
- if good_referer is not None:
-     server_port = request.get_port()
-     if server_port not in ('443', '80'):
-         good_referer = '%s:%s' % (good_referer, server_port)
- else:
+ if good_referer is None:
+     # If no cookie domain is configured, allow matching the
+     # current host:port.
      try:
          # request.get_host() includes the port.
          good_referer = request.get_host()
      except DisallowedHost:
          pass
+ else:
+     server_port = request.get_port()
+     if server_port not in ('443', '80'):
+         good_referer = '%s:%s' % (good_referer, server_port)
}}}
"	Cleanup/optimization	closed	CSRF	dev	Normal	fixed	CsrfViewMiddleware		Ready for checkin	1	0	0	0	0	0