id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30017	Django should assume port 443 for https in django.utils.http.is_same_domain()	Ruslan Dautkhanov	nobody	"More complete explanation posted here - https://stackoverflow.com/questions/53658795/django-how-to-disable-referer-check

the issue is probably in Django code here: https://github.com/django/django/blob/22e8ab02863819093832de9f771bf40a62a6bd4a/django/middleware/csrf.py#L280

referer variable there is a urlparse object (see https://docs.python.org/3/library/urllib.parse.html ) which contains ""netloc"" property with a port.

Notice the error again - netlocs don't match because one has a port (443) and another doesn't have it (443 port is default for https):

Referer checking failed -

https://hue-dev.discover.abc.com/hue/accounts/login/?next=/
does not match
https://hue-dev.discover.abc.com:443/.

so I guess it should be some sort of Referer field transformation made in nginx config to cut out 443 port explicitly (or add it).

Referer check is failing because django.utils.http.is_same_domain() takes into account port 
(in referer.netloc ).

Django should assume that port 443 is default for httpS, and not fail Referer check in this case."	Bug	closed	HTTP handling	2.1	Normal	wontfix			Unreviewed	0	0	0	0	0	0