id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
27958	CSRF_COOKIE reset while requesting a broken relative URL over HTTPS	cryptogun	nobody	"Problem: If a comment contains a broken link (under the same domain), all csrf_token are expired and any POST method would get a 403 code.
This also happen if I first open [https://localhost/] and then open [https://localhost/non-exist/] in another tab, now I can't make POST on the first page.
Everything was OK, while I was using HTTP.

{{{
GET https://192.168.1.2/asdf.jpg
Cookie: csrftoken=BBBB
...
status: 404
set-cookie: csrftoken=CCCC

-------------------------------------------------------
POST https://192.168.1.2/forum/comment/bookmark/163/create/
comment_number: 1
csrfmiddlewaretoken: DDDD

Cookie: csrftoken=CCCC
...
status: 403
}}}

I'm using https + nginx + gunicorn.

After some debugging, I found that ""CSRF_COOKIE"" is not in request.META inside ''context_processors.py'':
{{{
render(request, html404)
context_processors.py get_token(request)
    if ""CSRF_COOKIE"" not in request.META:
        csrf_secret = _get_new_csrf_string()
        request.META[""CSRF_COOKIE""] = _salt_cipher_secret(csrf_secret)
        response.set_cookie(settings.CSRF_COOKIE_NAME,
                            request.META[""CSRF_COOKIE""],
}}}
So the shared reset new csrf_cookie doesn't match with the old static html csrf_token, resulting a 403 Forbidden page.
More detail [here](https://github.com/nitely/Spirit/pull/173).
Test: [[Image(https://code.djangoproject.com/non-exist)]]"	Bug	closed	CSRF	1.10	Normal	invalid	csrf reset https 403		Unreviewed	0	0	0	0	0	0