#25334: Check CSRF Referer against CSRF_TRUSTED_ORIGINS -----------------------------+------------------------------------ Reporter: joshkehn | Owner: joshkehn Type: New feature | Status: assigned Component: CSRF | Version: master Severity: Normal | Resolution: Keywords: csrf | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -----------------------------+------------------------------------ Description changed by joshkehn:
Old description: > Django's CSRF implementation (when used over HTTPS) validates that the > Referer header matches the current host (i.e. that the request is coming > from the same domain). > > There are cases where it is reasonable to allow non-same-origin CSRF- > protected requests. Ticket #24996 (which also contains some discussion > relevant to this ticket) has a pull request to allow any host that > matches `CSRF_COOKIE_DOMAIN` past the Referer check; this takes care of > the common subdomain cases. > > But there also cases where a totally separate domain may be allowed to > make `POST` (etc) requests to an API via CORS, and CORS headers can be > configured to allow XHR requests from that external domain to send > cookies to the API (including the CSRF cookie). But at the moment such a > technique falls afoul of the Referer checking, and the only way to bypass > it is by monkeypatching the request headers (that's what > https://github.com/ottoyiu/django-cors-headers does). > > This ticket proposes adding a `CSRF_TRUSTED_ORIGINS` setting, which can > be set to a list of hosts that should be considered valid Referers for > the purposes of CSRF checking. New description: Django's CSRF implementation (when used over HTTPS) validates that the Referer header matches the current host (i.e. that the request is coming from the same domain). There are cases where it is reasonable to allow non-same-origin CSRF- protected requests. Ticket #24496 (which also contains some discussion relevant to this ticket) has a pull request to allow any host that matches `CSRF_COOKIE_DOMAIN` past the Referer check; this takes care of the common subdomain cases. But there also cases where a totally separate domain may be allowed to make `POST` (etc) requests to an API via CORS, and CORS headers can be configured to allow XHR requests from that external domain to send cookies to the API (including the CSRF cookie). But at the moment such a technique falls afoul of the Referer checking, and the only way to bypass it is by monkeypatching the request headers (that's what https://github.com/ottoyiu /django-cors-headers does). This ticket proposes adding a `CSRF_TRUSTED_ORIGINS` setting, which can be set to a list of hosts that should be considered valid Referers for the purposes of CSRF checking. -- -- Ticket URL: <https://code.djangoproject.com/ticket/25334#comment:5> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.c1f896542576bf6fd94f9bde0675d4de%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.