#16010: Support Origin header checking in the CSRF middleware -----------------------------+-------------------------------------- Reporter: davidben | Owner: Tim Graham Type: New feature | Status: assigned Component: CSRF | Version: master Severity: Normal | Resolution: Keywords: | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 -----------------------------+--------------------------------------
Comment (by Tim Graham): So we could add another setting `CSRF_ALLOWED_ORIGINS` (which I sketched out as another commit in my draft PR) that includes the schemes. Unfortunately the name is very similar and not well differentiated from `CSRF_TRUSTED_ORIGINS` setting that already exists. That setting could possibly be deprecated in favor of `CSRF_ALLOWED_ORIGINS` and another new setting: `CSRF_ALLOWED_ORIGIN_REGEXES`, to accommodate the "allow all subdomains" use case. Do you think an `CSRF_ALLOW_ALL_ORIGINS` setting is needed? There's also a question of backward compatibility. Since `CSRF_ALLOWED_ORIGINS` is empty by default, only same-origin requests will be allowed unless the new settings are set. I can't think of a useful deprecation path here, but perhaps a system check to flag an empty `CSRF_ALLOWED_ORIGINS` if `CSRF_TRUSTED_ORIGINS` isn't empty could be helpful in giving a heads up. -- Ticket URL: <https://code.djangoproject.com/ticket/16010#comment:12> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.fc5b660c32150f8c13284b8e5ade30a0%40djangoproject.com.