> What is the Origin header and shouldn't Pyramid/WebOb set it automatically if it's becoming more important?
1) You can read the RFC about it or anything on google. 2) The Origin header is set by the client, not the server. If the origin matches the current domain (usually set by the host header) then the request is trusted by default and you do not need to modify anything. You have your app setup in such a way that your requests *look* like they are originating from another server instead of the domain hosting the content. Just configure your webtest requests such that the origin and host match and you'll be fine. > I still feel like there's a missing piece, something that needs to be > documented so that others don't fall into this same trap. If you would like to contribute some documentation on this once you figure it out I'm more than happy to review. It probably belongs in the testing chapter about how to use webtest. If you think webtest should set the origin/host the same by default then perhaps you could open an issue over there. - Michael On Tue, Sep 26, 2017 at 12:52 AM, Mike Orr <sluggos...@gmail.com> wrote: > On Mon, Sep 25, 2017 at 10:40 PM, Mike Orr <sluggos...@gmail.com> wrote: > > On Mon, Sep 25, 2017 at 9:00 PM, Mike Orr <sluggos...@gmail.com> wrote: > >> On Mon, Sep 25, 2017 at 5:47 PM, Michael Merickel <mmeri...@gmail.com> > wrote: > >>>> So what's the best way forward? > >>> > >>> I think you covered your options pretty well. > >>> > >>> 1) Set wsgi.url_scheme to "http" as origin checks are only done on > https. > >>> 2) Set the pyramid.csrf_trusted_origins as you are doing now. > >>> 3) Disable csrf checking for your tests. > >>> > >>> I think it's just a helpful reminder that you would be wise to think > about > >>> the origin header more these days as it's required by CORS requests > and, of > >>> course, cross origin requests are the attack vector CSRF is helping to > >>> protect. > >> > >> It sounds like it needs documentation then. What is the Origin header > >> and shouldn't Pyramid/WebOb set it automatically if it's becoming more > >> important? > >> > >> #1 and #3 would make the test environment different from the real > >> environment. #2 raises the question of what is WebTest's Origin > >> header, what should it be, why are they different, and does something > >> need to be changed in the library? > > > > I guess the solution is #1, to roll back the HTTPS, because there is > > no HTTPS because there's no network server. That in turn will require > > a configuration that doesn't make the cookies HTTPS-only. > > (The browser got in a mood and did "Send" too quickly.) > > I still feel like there's a missing piece, something that needs to be > documented so that others don't fall into this same trap. The only > reason I set HTTPS-only and CSRF is our IT department asked us to do > this wherever feasible, and since it didn't make much difference > either way I went along with it. So presumably other people in other > organizations will be doing the same thing, and have the same thing > happen in their tests. > > > -- > Mike Orr <sluggos...@gmail.com> > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to pylons-discuss+unsubscr...@googlegroups.com. > To post to this group, send email to pylons-discuss@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/pylons-discuss/CAH9f%3Duo%2BAYpm6-oS-vPLFg0Ek3gz1G2JDHcW2m0MmdH_ > X8zp4g%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAKdhhwFWJkrGFxOTkAyMDB61JkCm0%3D%3DwWONQ5V9U60D%3DAqV%3DXQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
