On Mon, Sep 25, 2017 at 10:40 PM, Mike Orr <sluggos...@gmail.com> wrote: > On Mon, Sep 25, 2017 at 9:00 PM, Mike Orr <sluggos...@gmail.com> wrote: >> On Mon, Sep 25, 2017 at 5:47 PM, Michael Merickel <mmeri...@gmail.com> wrote: >>>> So what's the best way forward? >>> >>> I think you covered your options pretty well. >>> >>> 1) Set wsgi.url_scheme to "http" as origin checks are only done on https. >>> 2) Set the pyramid.csrf_trusted_origins as you are doing now. >>> 3) Disable csrf checking for your tests. >>> >>> I think it's just a helpful reminder that you would be wise to think about >>> the origin header more these days as it's required by CORS requests and, of >>> course, cross origin requests are the attack vector CSRF is helping to >>> protect. >> >> It sounds like it needs documentation then. What is the Origin header >> and shouldn't Pyramid/WebOb set it automatically if it's becoming more >> important? >> >> #1 and #3 would make the test environment different from the real >> environment. #2 raises the question of what is WebTest's Origin >> header, what should it be, why are they different, and does something >> need to be changed in the library? > > I guess the solution is #1, to roll back the HTTPS, because there is > no HTTPS because there's no network server. That in turn will require > a configuration that doesn't make the cookies HTTPS-only.
(The browser got in a mood and did "Send" too quickly.) I still feel like there's a missing piece, something that needs to be documented so that others don't fall into this same trap. The only reason I set HTTPS-only and CSRF is our IT department asked us to do this wherever feasible, and since it didn't make much difference either way I went along with it. So presumably other people in other organizations will be doing the same thing, and have the same thing happen in their tests. -- Mike Orr <sluggos...@gmail.com> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3Duo%2BAYpm6-oS-vPLFg0Ek3gz1G2JDHcW2m0MmdH_X8zp4g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.