#24496: Check CSRF Referer against CSRF_TRUSTED_ORIGINS
------------------------------+------------------------------------
Reporter: mattrobenolt | Owner: joshkehn
Type: New feature | Status: assigned
Component: CSRF | Version: master
Severity: Normal | Resolution:
Keywords: csrf | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Comment (by joshkehn):
I think the domain check complicates matters enough to warrant a separate
fix. I've essentially repurposed this ticket to accommodate the
`CSRF_TRUSTED_ORIGINS` additions so I'd suggest creating a new ticket.
I don't know about the `get_host()` vs. `CSRF_COOKIE_DOMAIN` check. Let's
say `CSRF_COOKIE_DOMAIN` is set to `.example.com` and `ALLOWED_HOSTS` is
set to `['api.example.com', 'api-dev.example.com']`. To allow cross origin
requests also set `CSRF_TRUSTED_ORIGINS` to `['dashboard.example.com']`.
At this point Django would allow a request referred from
`badhost.example.com`, since it's part of the `CSRF_TRUSTED_ORIGINS` +
`CSRF_COOKIE_DOMAIN`. Is that acceptable?
--
Ticket URL: <https://code.djangoproject.com/ticket/24496#comment:19>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/070.3a5012259e11afc36406ed80cbe062b6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
