Changes between Initial Version and Version 1 of Ticket #29802
- Timestamp:
- Sep 27, 2018, 7:29:16 PM (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #29802 – Description
initial v1 1 1 Currently, Django's CSRF middleware will reject any 'non-safe' HTTPS request that lacks a Referer header: https://github.com/django/django/blob/22e8ab02863819093832de9f771bf40a62a6bd4a/django/middleware/csrf.py#L242 2 2 3 However, some users may prevent their browsers from sending the Referer header, due to privacy concerns. These users are unable to submit 'non-safe' requests (e.g. POST requests) on HTTPS-enabled Django-powered website that use sCSRF protection.3 However, some users may prevent their browsers from sending the Referer header, due to privacy concerns. These users are unable to submit 'non-safe' requests (e.g. POST requests) on HTTPS-enabled Django-powered website that use CSRF protection. 4 4 5 5 For some websites, checking the Referer header may provide no added security benefit. For example, an HSTS-preloaded website which controls all of its subdomains has nothing to gain from this check - there are no untrusted subdomains which can mount an attack, and HSTS prevents an HTTP MITM attack.