The referer check is primarily there to help make users who choose not to use HSTS safer.
Without HSTS, a mitm can set CSRF cookies (e.g. by serving an HTTP page emulating your domain in an iframe on a different unencrypted page, even if you only ever serve your own page from HTTPS), and then post (from wherever) to your secured page. By forcing the post to come from the same domain, we've made this attack significantly less convenient. I agree that it's really unfortunate that we don't have a better mechanism for this in the browsers, but this still seems to be the best tradeoff we have right now. -Paul On Tue, Feb 3, 2015 at 9:43 PM, Jon Dufresne <jon.dufre...@gmail.com> wrote: > On Tue, Feb 3, 2015 at 11:52 AM, Aymeric Augustin > <aymeric.augustin.2...@polytechnique.org> wrote: >> You can fix that problem by saving some authentication info in the user's >> session, most likely with a custom auth backend — see django-sesame for an >> example of how to do this. Then redirect immediately to an URL that doesn't >> contain the nonce. Of course all this must happen over HTTPS to reduce the >> likelihood of leaving the nonce in the logs of various caches or reverse >> proxies. > > My application is 100% over HTTPS, HTTP traffic is not allowed. > > Thanks for these pointers. This may not work exactly for me, but it > certainly is something interesting to think about. I'll look into it > more. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at http://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CADhq2b6SXqY78qiNdB7BkAQUcBHzAFUON%3DY69mEddu6Q55SWdg%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAO_YWRWosR0yePoqiQSKW2M4--ucY747smFNXcUSSQ4GnsCmag%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.