This check prevents a MITM from injecting an HTTP based form/csrf token pair along with javascript to auto-submit it to an HTTPS target. Any HTTP request is vulnerable to all kinds of MITM and there's nothing we can do about it, but an HTTPS-based request should be as secure as possible even with a MITM.
This protection discourages our users from building HTTP forms that post to HTTPS targets, a practice that essentially invalidates most of the browser-based security UI. SSLStrip is a very real threat. As for issue #2, of course it's possible to send anything you like as an attacker (including making up a referer header). This is about protecting non-malicious users. A malicious MITM shouldn't be able to modify an SSL request on the wire to change that header, since everything except the destination IP address is encrypted. There has been previous discussion of this issue: http://groups.google.com/group/django-developers/browse_thread/thread/d16647e84d2b39ea http://groups.google.com/group/django-developers/browse_thread/thread/22058adaf11e3ed6 and it is commented on in the code: http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L139 -Paul -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
