id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31845	CSRF check fails when browsing with FQDN with trailing dot	ippei	nobody	"CSRF check seems to fail with ""Referer checking failed"" when user is browsing with FQDN with trailing dot.

At this line: https://github.com/django/django/blob/2.2.12/django/middleware/csrf.py#L280
while {{{referer.netloc}}} has trailing dot, one of the {{{good_hosts}}} that is supposed to match comes from {{{request.get_host()}}} which strips the trailing dot.
{{{is_same_domain}}} does not consider domain strings with and without trailing dots the same domain.

We neither set CSRF_USE_SESSIONS nor CSRF_COOKIE_DOMAIN in settings.
(Our system uses DRF, but the original error seems to come from the CsrfViewMiddleware implementation.)

For now, we set CSRF_TRUSTED_ORIGINS with our production domain with trailing dot to circumvent this issue."	Bug	closed	CSRF	2.2	Normal	wontfix		Florian Apolloner	Unreviewed	0	0	0	0	0	0