Code

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#13849 closed (wontfix)

CsrfViewMiddleware is too strict on referer checking for secure requests

Reported by: pmclanahan Owned by: nobody
Component: Core (Other) Version: 1.2
Severity: Keywords: csrf
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

In a project we'd like to have forms exist on an insecure page, but submit to a secure URL, and be CSRF protected using the middleware. This is currently impossible due to the middleware checking for "https" in the referer header for secure requests. I feel this is too strict and a check for the same host would be sufficient if any referer check is required at all. The comment in the code above these lines even suggests that the check may be too strict.

The lines to which I'm referring are 134 - 137 in django/middleware/csrf.py.

I'll be happy to provide a patch if a course of action is decided upon in the discussion.

Attachments (0)

Change History (2)

comment:1 Changed 4 years ago by pmclanahan

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

See mailinglist thread for explanation of reasons for wontfixing this.

http://groups.google.com/group/django-developers/browse_thread/thread/22058adaf11e3ed6

comment:2 Changed 4 years ago by lukeplant

See [13405]

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.