On Tue, Feb 3, 2015 at 2:12 PM, Paul McMillan <p...@mcmillan.ws> wrote: > The referer check is primarily there to help make users who choose not > to use HSTS safer. > > Without HSTS, a mitm can set CSRF cookies (e.g. by serving an HTTP > page emulating your domain in an iframe on a different unencrypted > page, even if you only ever serve your own page from HTTPS), and then > post (from wherever) to your secured page. By forcing the post to come > from the same domain, we've made this attack significantly less > convenient. > > I agree that it's really unfortunate that we don't have a better > mechanism for this in the browsers, but this still seems to be the > best tradeoff we have right now.
Aren't there existing security mechanisms to handle these situations? It seems like this is sending the wrong message. Django should be pushing developers and admins for the best solution to security and privacy concerns. Prevent HTTP when using HTTPS: use HSTS. (Apparently not supported by IE11 [0]) Prevent the application from being served in an attacker's iframe: use X-Frame-Options. (Supported by all major browsers [1]) These seem like much better solutions to the scenario you present. What does the REFERER check do that is not handled by the above? At that point, the user's privacy concerns could be handled with the meta referrer tag. [0] https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security#Browser_compatibility [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options#Browser_compatibility -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CADhq2b4-E9tS5yqho%2BVKERE4-66XenoN_vBDWwjwNUTqPtGdAA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
