#31823: Add Support for Fetch Metadata Request Headers
-------------------------------------+-------------------------------------
Reporter: meggles711 | Owner:
| meggles711
Type: New feature | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: CSRF, Fetch, | Triage Stage:
headers | Someday/Maybe
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Felipe Rosa de Almeida):
Fetch metadata headers are widely supported now. More specifically, the
`Sec-Fetch-Site` which can be used to protect against CSRF is supported by
by [https://caniuse.com/mdn-http_headers_sec-fetch-site 97.63% of all
tracked browsers on Can I Use].
Recently, Go introduced a
[https://pkg.go.dev/net/[email protected]#CrossOriginProtection CSRF
protection middleware] that uses Fetch Metadata and Origin headers to
protect against CSRF, without relying on tokens. The author research for
developing the algorithm is shown here: https://words.filippo.io/csrf/.
[https://web.dev/articles/fetch-metadata Google recommends] Fetch Metadata
for CSRF prevention and
[https://github.com/OWASP/CheatSheetSeries/issues/1803 OWASP will follow
as well].
It seems that supporting the `Sec-Fetch-Site` header would be a great fit
for Django CSRF protection. Today the first check on the
`CsrfViewMiddleware` for a valid request is the `Origin` header. My
suggestion is to add a check before that. If the `Sec-Fetch-Site` header
is set, and it's value is either `same-origin` or `none` (user-initiated),
the request is accepted, otherwise it can be rejected. If the header is
not set, the following checks continue (Origin, Referer and token).
I can take a stab at implementing this if that's OK.
In the future (probably as part of a separate ticket), a setting can be
added to select the CSRF protection strategy. As using Fetch metadata and
Origin headers are sufficient protection against CSRF in modern browsers,
the user could opt out of the token strategy which adds more complexity
for the frontend.
--
Ticket URL: <https://code.djangoproject.com/ticket/31823#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019a139708cc-055ee288-b373-4c3c-9523-27b557bd6bd9-000000%40eu-central-1.amazonses.com.
