On Tue, Feb 3, 2015 at 11:39 AM, Aymeric Augustin <aymeric.augustin.2...@polytechnique.org> wrote: > Le 3 févr. 2015 à 16:54, Jon Dufresne <jon.dufre...@gmail.com> a écrit : >> Assuming this MITM already has the correct CSRF value, what is >> stopping this MITM from adding a REFERER to the HTTPS request? > > While MITM of HTTP is trivial, MITM of HTTPS isn't possible (under Django's > security model, which doesn't account for government-level attacks, etc.)
Agreed. My application is 100% over HTTPS, so why do I need the CSRF referrer check. As you state, MITM is theoretically impossible? However I'm referring to this comment: > We're talking about a MITM of an HTTP connection that is then used for > posting a form over an HTTPS connection. Check the comment in the first > message of this thread for details. So the MITM is over HTTP, which we both agree is trivial. This MITM then makes an HTTPS POST request. Making a HTTPS POST request on its own is also trivial. To circumvent the CSRF protection the MITM will need the CSRF token as well as to set the referrer header. If the MITM is capable of obtaining the CSRF, adding a header to a request seems like the trivial part. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CADhq2b6PjnZx_XfusSX5odDjo295dgwN80wq26K_mwHqsQzMAw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.