Changes between Initial Version and Version 1 of Ticket #16010, comment 3


Ignore:
Timestamp:
May 30, 2011, 6:13:49 AM (13 years ago)
Author:
Luke Plant

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #16010, comment 3

    initial v1  
    552) Which brings us to the strict referer checking to HTTPS, which doesn't allow for CSRF_COOKIE_DOMAIN either, but probably should - and probably hasn't come up so far because fewer people are using HTTPS. But I'm hesitating on that too, because of possible unforeseen security implications in the context of HTTPS.
    66
    7 So, I think to start with we should make the Origin checking allow wild-card subdomains if CSRF_COOKIE_DOMAIN does, and docs for that setting should be updated accordingly. Sorry for not mentioning that earlier, it didn't occur to. For now, we'll leave the referer checking as it is, and as it is documented i.e. a simple strict referer check for HTTPS.
     7So, I think to start with we should make the Origin checking allow wild-card subdomains if CSRF_COOKIE_DOMAIN does, and docs for that setting should be updated accordingly. Sorry for not mentioning that earlier, it didn't occur to me. For now, we'll leave the referer checking as it is, and as it is documented i.e. a simple strict referer check for HTTPS.
Back to Top