Opened 4 years ago

Closed 4 years ago

#17563 closed Uncategorized (wontfix)

See:, at point 4

Reported by: vanschelven Owned by: nobody
Component: Uncategorized Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Django does strict referer checking in the CSRF mechanism. See:, at point 4

Security aware people may, however, turn referer headers off. This leads to 403 errors for them.

The "feature" is not strictly necessary, at the moment of switching to HTTPS one could erase any HTTP cookies.

Change History (2)

comment:1 Changed 4 years ago by vanschelven

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Trac ate my subject after logging in... should have been "Referer checking for CSRF under HTTPS should be removed"

comment:2 Changed 4 years ago by lukeplant

  • Resolution set to wontfix
  • Status changed from new to closed

We need strict referer checking under HTTPS, because with the session independent nonce we are using, there is the following vulnerability:


The attacker can set the CSRF cookie using Set-Cookie, and then supply a matching token in the POST form data. Since the site does not tie the session cookies to the CSRF cookies, it has no way of determining that the CSRF token + cookie are genuine (doing hashing etc. of one of them will not work, as the attacker can just get a valid pair from the site directly, and use that pair in the attack).

(Copied from CsrfProtection)

The solution of erasing HTTP cookies doesn't work - when the server receives a cookie under HTTPS it cannot determine whether it was set by HTTPS or not. (Erasing client side is not an option - the whole point of this is that we cannot control what happens client side, since it could be sent by a MITM over an HTTP connection).

So, unfortunately there is no way we can turn this off without opening up a vulnerability.

Finally, security aware people can set their browser to only avoid sending Referer headers cross-domain. That way everything will still work.

Note: See TracTickets for help on using tickets.
Back to Top