On Mon, Sep 25, 2017 at 5:47 PM, Michael Merickel <mmeri...@gmail.com> wrote: >> So what's the best way forward? > > I think you covered your options pretty well. > > 1) Set wsgi.url_scheme to "http" as origin checks are only done on https. > 2) Set the pyramid.csrf_trusted_origins as you are doing now. > 3) Disable csrf checking for your tests. > > I think it's just a helpful reminder that you would be wise to think about > the origin header more these days as it's required by CORS requests and, of > course, cross origin requests are the attack vector CSRF is helping to > protect.
It sounds like it needs documentation then. What is the Origin header and shouldn't Pyramid/WebOb set it automatically if it's becoming more important? #1 and #3 would make the test environment different from the real environment. #2 raises the question of what is WebTest's Origin header, what should it be, why are they different, and does something need to be changed in the library? -- Mike Orr <sluggos...@gmail.com> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DuoOSNZKiSfTfabHevOE_p53Q8XL-UHbjxsdT6qSec7xkQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.