id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
25334	Check CSRF Referer against CSRF_TRUSTED_ORIGINS	Joshua Kehn	Joshua Kehn	"See previous discussion in #24496

Right now, if you try to share a CSRF token across a subdomain without
https, everything works great since the Referer header isn't validated.

But over https, we want to be a bit more strict and make sure that the
Referer is from another secure site, and also that the Referer matches
where we think it should be coming from. Django should validate that the
Referer header matches one of the domains listed in
`CSRF_TRUSTED_ORIGINS`, including the currently responding
`ALLOWED_HOST`."	New feature	new	CSRF	dev	Normal		csrf	Carl Meyer	Unreviewed	1	0	0	0	0	0