#16010: Support Origin header checking in the CSRF middleware
-----------------------------+--------------------------------------
Reporter: davidben | Owner: Tim Graham
Type: New feature | Status: assigned
Component: CSRF | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
Comment (by Tim Graham):
So we could add another setting `CSRF_ALLOWED_ORIGINS` (which I sketched
out as another commit in my draft PR) that includes the schemes.
Unfortunately the name is very similar and not well differentiated from
`CSRF_TRUSTED_ORIGINS` setting that already exists. That setting could
possibly be deprecated in favor of `CSRF_ALLOWED_ORIGINS` and another new
setting: `CSRF_ALLOWED_ORIGIN_REGEXES`, to accommodate the "allow all
subdomains" use case.
Do you think an `CSRF_ALLOW_ALL_ORIGINS` setting is needed?
There's also a question of backward compatibility. Since
`CSRF_ALLOWED_ORIGINS` is empty by default, only same-origin requests will
be allowed unless the new settings are set. I can't think of a useful
deprecation path here, but perhaps a system check to flag an empty
`CSRF_ALLOWED_ORIGINS` if `CSRF_TRUSTED_ORIGINS` isn't empty could be
helpful in giving a heads up.
--
Ticket URL: <https://code.djangoproject.com/ticket/16010#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/066.fc5b660c32150f8c13284b8e5ade30a0%40djangoproject.com.
