Changes between Initial Version and Version 2 of Ticket #25334


Ignore:
Timestamp:
Sep 1, 2015, 11:22:13 AM (9 years ago)
Author:
Carl Meyer
Comment:

I'm updating the description here to try to more clearly describe the motivation for _this_ feature, why it is useful in addition to #24496. Please let me know if you think the new description is lacking.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #25334

    • Property Status newassigned

  • Ticket #25334 – Description

    initial v2  
    1 See previous discussion in #24496
     1Django's CSRF implementation (when used over HTTPS) validates that the Referer header matches the current host (i.e. that the request is coming from the same domain).
    22
    3 Right now, if you try to share a CSRF token across a subdomain without
    4 https, everything works great since the Referer header isn't validated.
     3There are cases where it is reasonable to allow non-same-origin CSRF-protected requests. Ticket #24996 (which also contains some discussion relevant to this ticket) has a pull request to allow any host that matches `CSRF_COOKIE_DOMAIN` past the Referer check; this takes care of the common subdomain cases.
    54
    6 But over https, we want to be a bit more strict and make sure that the
    7 Referer is from another secure site, and also that the Referer matches
    8 where we think it should be coming from. Django should validate that the
    9 Referer header matches one of the domains listed in
    10 `CSRF_TRUSTED_ORIGINS`, including the currently responding
    11 `ALLOWED_HOST`.
     5But there also cases where a totally separate domain may be allowed to make `POST` (etc) requests to an API via CORS, and CORS headers can be configured to allow XHR requests from that external domain to send cookies to the API (including the CSRF cookie). But at the moment such a technique falls afoul of the Referer checking, and the only way to bypass it is by monkeypatching the request headers (that's what https://github.com/ottoyiu/django-cors-headers does).
     6
     7This ticket proposes adding a `CSRF_TRUSTED_ORIGINS` setting, which can be set to a list of hosts that should be considered valid Referers for the purposes of CSRF checking.
Back to Top