Re: CsrfViewMiddleware and HTTPS
Ah; now that I understand the purpose of the check, it all makes sense to me. Thanks, Paul! -Dave -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: CsrfViewMiddleware and HTTPS
This check prevents a MITM from injecting an HTTP based form/csrf token pair along with javascript to auto-submit it to an HTTPS target. Any HTTP request is vulnerable to all kinds of MITM and there's nothing we can do about it, but an HTTPS-based request should be as secure as possible even with a MITM. This protection discourages our users from building HTTP forms that post to HTTPS targets, a practice that essentially invalidates most of the browser-based security UI. SSLStrip is a very real threat. As for issue #2, of course it's possible to send anything you like as an attacker (including making up a referer header). This is about protecting non-malicious users. A malicious MITM shouldn't be able to modify an SSL request on the wire to change that header, since everything except the destination IP address is encrypted. There has been previous discussion of this issue: http://groups.google.com/group/django-developers/browse_thread/thread/d16647e84d2b39ea http://groups.google.com/group/django-developers/browse_thread/thread/22058adaf11e3ed6 and it is commented on in the code: http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L139 -Paul -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
CsrfViewMiddleware and HTTPS
If you're using HTTPS, the CsrfViewMiddleware performs a same_origin check on the domain. Two questions: 1. What security issue does this prevent? (I assume some kind of MITM, but I don't understand why would be important for HTTPS and not for HTTP.) 2. Because the check uses request.get_host(), and get_host() honors the X-Forwarded-Host header, isn't it possible to effectively thwart the check by sending a bogus X-Forwarded-Host header as part of evil requests? Thanks, Dave -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.