On Wed, Dec 2, 2015 at 10:29 AM, Flávio Junior <flaviojuve...@gmail.com> wrote: > Also, I can't imagine now why, but some > developer might want to disable referer header altogether, and can easily do > so by setting policy to No Referrer.
Why is it unimaginable that I may want to maximize privacy for my users? The domain my users are coming from is between me and my users. If CSRF would work securely without any referer header (and not leak the same data some other way), I would choose to disable it entirely. Often the domain is enough to leak what kind of data a user was reading or interacting with. For example, what might one assume (rightly or wrongly) if the referer header was "https://wikileaks.org";? -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CADhq2b62tY-izLJ2WrgsskJmbBT5ArezGL17HuinbHv4hYAg3g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
