id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
15617	CSRF referer checking too strict	adam	Luke Plant	"I get this error:

Forbidden (403)
CSRF verification failed. Request aborted.

Reason given for failure:

    Referer checking failed - https://sub.domain.com does not match https://sum.domain.com/.

Using IE6 on my site. In the apache log the request looks like:

86.24.194.171 - - [15/Mar/2011:15:07:06 +0000] ""POST / HTTP/1.1"" 403 1030 ""https://sub.domain.com"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)""

So it looks like the referer should not be required to start with a url including a trailing slash. That is a change to make:

good_referer = 'https://%s' % request.get_host()

Happy to provide a patch if people agree with my conclusions.
"		closed	Uncategorized	1.3-beta		fixed			Accepted	0	0	0	0	0	0