Hi,
In the interest of security, I recently started using meta referrer
tags in my HTML [0]. To share the least amount of data as possible, I
opted for the "none" policy [1].
This new HTML5 feature breaks Django POST views. The reason: the CSRF
mechanism checks that, when serving over HTTPS, that a HTTP_REFERER
header is set in order to validate the CSRF check. Otherwise, the CSRF
check fails with REASON_NO_REFERER [2]. There is comment in the code
that reads as follows:
# Suppose user visits http://example.com/
# An active network attacker (man-in-the-middle, MITM) sends a
# POST form that targets https://example.com/detonate-bomb/ and
# submits it via JavaScript.
#
# The attacker will need to provide a CSRF cookie and token, but
# that's no problem for a MITM and the session-independent
# nonce we're using. So the MITM can circumvent the CSRF
# protection. This is true for any HTTP connection, but anyone
# using HTTPS expects better! For this reason, for
# https://example.com/ we need additional protection that treats
# http://example.com/ as completely untrusted. Under HTTPS,
# Barth et al. found that the Referer header is missing for
# same-domain requests in only about 0.2% of cases or less, so
# we can use strict Referer checking.
As of right now Chrome is the only browser (that I've tested) that
actually implements the meta referrer tag, but Firefox's next release
will as well. This combination prevented successful login for users.
Unfortunately I didn't detect this problem early in development as I
develop using HTTP, but serve production using HTTPS.
I'm not convinced that this check is really protecting the user from
an attack. Is there additional documentation, beyond this comment, on
why this is more secure? Is there evidence of other web frameworks
using this same technique? I would like to understand more.
Additionally, as a web user, one may use a Firefox/Chrome extension
that purposely strips the HTTP_REFERER from all requests. Django
applications would be effectively broken for such users. In my
opinion, the HTTP_REFERER can't be considered reliable or trustworthy
for such critical operation.
The question: I'm wondering how Django developers feel about removing
this check (or altering it?) in order to help support meta referrer
tags for developers and projects that wish to use it. If there is
general agreement I'll file a ticket and create a pull request.
Cheers,
Jon
[0] https://blog.mozilla.org/security/2015/01/21/meta-referrer/
[1] http://www.w3.org/TR/referrer-policy/#referrer-policy-state-none
[2]
https://github.com/django/django/blob/27dd7e727153cbf12632a2161217340123687c44/django/middleware/csrf.py#L135
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/CADhq2b4_ph2pCRw%3DukmCmHBxmP56xFxykCiyqo8Li4P0tzM1ig%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
