Paul McMillan <p...@mcmillan.ws> writes: > In the meantime, if you use SSL on each of your subdomains, you get > strict checking of the Referer header for CSRF, which mitigates that > particular avenue of attack. Since you're using sessions and auth, you > should be using SSL, and so the protection is mostly free.
Of course. The sites I'm thinking of are HTTPS only. I had forgot about the Referer header check. It seems that it would stop the subdomain-to-subdomain CSRF attacks as long as the site is only using HTTPS, wouldn't it? Thanks for your work on this, / Kent Engström -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
