CSRF too strict when no referer is present
|Reported by:||rtux||Owned by:||nobody|
|Cc:||fritsch+djangoproject.com@…, jon.dufresne@…||Triage Stage:||Unreviewed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
For privacy reasons, users may decide to stop their browser from sending referer headers, which is fine with probably 99.9% of the webpages. I recently had troubles logging into launchpad, which uses django’s csrf-protection and it turned out to be due to the missing referer header from my browser.
So just the fact, that the header is missing should not imply, that the request is invalid.
This concerns mainly the function django.middleware.csrf.CsrfViewMiddleware.process_view
Change History (10)
comment:1 Changed 5 years ago by
|Patch needs improvement:||unset|