id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 15617 CSRF referer checking too strict adam Luke Plant "I get this error: Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Referer checking failed - https://sub.domain.com does not match https://sum.domain.com/. Using IE6 on my site. In the apache log the request looks like: 86.24.194.171 - - [15/Mar/2011:15:07:06 +0000] ""POST / HTTP/1.1"" 403 1030 ""https://sub.domain.com"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"" So it looks like the referer should not be required to start with a url including a trailing slash. That is a change to make: good_referer = 'https://%s' % request.get_host() Happy to provide a patch if people agree with my conclusions. " closed Uncategorized 1.3-beta fixed Accepted 0 0 0 0 0 0