id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 19778,csrf middleware report BAD_REFERER when HTTP_HOST contains port,jens.tinfors@…,,"For a given request with the HTTP_HOST header set to 'www.example.com:443' and the HTTP_REFERER set to 'https://www.example.com/somepage' the same_origin check will report REASON_BAD_REFERER due to fact that HOST has port and REFERER does not. Perhaps, as in my case, a less competent firewall has tampered with the request on its way to the server. Here's a failing test (that I added to tests/regressiontests/csrf_tests/tests.py): {{{ def test_https_good_referer_with_port(self): req = self._get_POST_request_with_token() req._is_secure_override = True req.META['HTTP_HOST'] = 'www.example.com:443' req.META['HTTP_REFERER'] = 'https://www.example.com/somepage' req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) self.assertEqual(None, req2) }}} I know the port is a valid part of the same_origin check but I'm thinking that if it's missing from REFERER, the scheme is https and HTTP_HOST uses the default port, maybe we can skip the port from the same_origin check. What do you think? Incidentally, if I set a port number on the HTTP_REFERER the test still fails: {{{ def test_https_good_referer_with_port(self): req = self._get_POST_request_with_token() req._is_secure_override = True req.META['HTTP_HOST'] = 'www.example.com:443' req.META['HTTP_REFERER'] = 'https://www.example.com/somepage:443' req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) self.assertEqual(None, req2) }}} kind regards /jens",Bug,closed,CSRF,dev,Normal,wontfix,,,Accepted,1,0,0,1,0,0