On Tue, Feb 3, 2015 at 1:31 AM, Aymeric Augustin <aymeric.augus...@polytechnique.org> wrote: > Your request boils down to "make Django's CSRF protection of HTTPS > pages vulnerable to MITM attacks" which isn't acceptable.
Please. That is a very straw-man like way to have a discussion. The first thing I asked for was for additional information. Information on why this helps with CSRF security and information on what other web technologies use this technique. IMO, the code comment is very limited in details for such a big jump. I'm not suggesting the comment be expanded, just wanted to read some external links or details. Upon receiving that information it would help me understand if the code is doing something useful and if the code should be modified. > http://www.w3.org/TR/referrer-policy/#referrer-policy-states doesn't have > a policy to send the referrer only for requests to the same origin. > > "Origin Only" or "Origin When Cross-Origin" are quite close and alleviate > privacy concerns. The domain name can still leak privacy-sensitive data > for instance if you're building a help site for people suffering from some > illness they don't want to reveal. > > However, you're framing this as a security matter, which I don't get. Can > you clarify how removing Referer headers improves security? You're right. Privacy is a probably better term for what I'm trying to achieve. I started with the assumption to share as little information as possible. In my private application, 99% of the URLs are secured behind a login. However some URLs are accessed by a unique URL containing a nonce without a login. Login is not an option for these URLs. Sharing this URL is considered very bad and I would like to avoid it happening unintentionally. Additionally, I don't want to leak any information about my users. Including the fact that they were using my application. Some of this is real privacy some of this is common courtesy to the users. Thanks for the link but I read through that document before choosing "none". -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CADhq2b43-h5f%2BxsofcQHHiiK8%2BfMzp%3D2fSzvtNMfW7etPnSAxQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.