Hi, In the interest of security, I recently started using meta referrer tags in my HTML [0]. To share the least amount of data as possible, I opted for the "none" policy [1].
This new HTML5 feature breaks Django POST views. The reason: the CSRF mechanism checks that, when serving over HTTPS, that a HTTP_REFERER header is set in order to validate the CSRF check. Otherwise, the CSRF check fails with REASON_NO_REFERER [2]. There is comment in the code that reads as follows: # Suppose user visits http://example.com/ # An active network attacker (man-in-the-middle, MITM) sends a # POST form that targets https://example.com/detonate-bomb/ and # submits it via JavaScript. # # The attacker will need to provide a CSRF cookie and token, but # that's no problem for a MITM and the session-independent # nonce we're using. So the MITM can circumvent the CSRF # protection. This is true for any HTTP connection, but anyone # using HTTPS expects better! For this reason, for # https://example.com/ we need additional protection that treats # http://example.com/ as completely untrusted. Under HTTPS, # Barth et al. found that the Referer header is missing for # same-domain requests in only about 0.2% of cases or less, so # we can use strict Referer checking. As of right now Chrome is the only browser (that I've tested) that actually implements the meta referrer tag, but Firefox's next release will as well. This combination prevented successful login for users. Unfortunately I didn't detect this problem early in development as I develop using HTTP, but serve production using HTTPS. I'm not convinced that this check is really protecting the user from an attack. Is there additional documentation, beyond this comment, on why this is more secure? Is there evidence of other web frameworks using this same technique? I would like to understand more. Additionally, as a web user, one may use a Firefox/Chrome extension that purposely strips the HTTP_REFERER from all requests. Django applications would be effectively broken for such users. In my opinion, the HTTP_REFERER can't be considered reliable or trustworthy for such critical operation. The question: I'm wondering how Django developers feel about removing this check (or altering it?) in order to help support meta referrer tags for developers and projects that wish to use it. If there is general agreement I'll file a ticket and create a pull request. Cheers, Jon [0] https://blog.mozilla.org/security/2015/01/21/meta-referrer/ [1] http://www.w3.org/TR/referrer-policy/#referrer-policy-state-none [2] https://github.com/django/django/blob/27dd7e727153cbf12632a2161217340123687c44/django/middleware/csrf.py#L135 -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CADhq2b4_ph2pCRw%3DukmCmHBxmP56xFxykCiyqo8Li4P0tzM1ig%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.