Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2017-05-24 Thread Flávio Junior
After two years, made a PR for this during PyCon sprints: https://github.com/django/django/pull/8546 🍾 Em sábado, 5 de dezembro de 2015 04:31:12 UTC-8, Collin Anderson escreveu: > > Basically, the origin check would only be useful for safari (in this > case). Everywhere else we'd still need to re

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-05 Thread Collin Anderson
Basically, the origin check would only be useful for safari (in this case). Everywhere else we'd still need to rely on the referrer header. On Sat, Dec 5, 2015 at 3:42 AM, Florian Apolloner wrote: > > > On Friday, December 4, 2015 at 8:03:45 PM UTC+1, Flávio Junior wrote: >> >> I can create a ti

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-05 Thread Florian Apolloner
On Friday, December 4, 2015 at 8:03:45 PM UTC+1, Flávio Junior wrote: > > I can create a ticket suggesting Django to check Origin header before > checking Referer. Or do you want to create that Collin? > I think Firxfox does not send the origin header ever yet, do you have any docs on that (As

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-04 Thread Flávio Junior
Yes Jon, makes sense, sorry for missing that. The only HTML-only solution I see for this is to manually add rel="noreferrer" to all external links on my webapp, which is a pain. With extra backend code, one might also implement something similar to https://anon.click/ to prevent referrer leaking.

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-04 Thread Jon Dufresne
On Wed, Dec 2, 2015 at 10:29 AM, Flávio Junior wrote: > Also, I can't imagine now why, but some > developer might want to disable referer header altogether, and can easily do > so by setting policy to No Referrer. Why is it unimaginable that I may want to maximize privacy for my users? The domain

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-04 Thread Flávio Junior
Hi Collin, Firefox doesn't include Origin header on same-origin POST/PUT/DELETE requests. I just tested it and this SO answer says the same . But yes, checking both Origin and Referer headers would help giving support Origin When Cross-Origin. I can c

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-04 Thread Collin Anderson
Also, if we checked the origin header, would it allow us to at least support the "Origin When Cross-Origin" policy in all browsers? (Use the Origin header for Safari and the referrer for all of the other browsers?) On Fri, Dec 4, 2015 at 10:38 AM, Tim Graham wrote: > Flávio, thanks -- since you

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-04 Thread Tim Graham
Flávio, thanks -- since you seem to have a good understanding of the limitation, could you submit a documentation patch (or even just provide some draft text here)? On Friday, December 4, 2015 at 8:25:35 AM UTC-5, Flávio Junior wrote: > > Found a issue that already discusses this: > https://cod

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-04 Thread Flávio Junior
Found a issue that already discusses this: https://code.djangoproject.com/ticket/16870#comment:10 Em quinta-feira, 3 de dezembro de 2015 13:41:09 UTC-3, Flávio Junior escreveu: > > Florian, then Django will have to keep this limitation: can't use a global > no-referrer policy on HTTPS because o

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-03 Thread Flávio Junior
Florian, then Django will have to keep this limitation: can't use a global no-referrer policy on HTTPS because of strict referrer check. Correct? Should I create an issue to keep this logged? Em quinta-feira, 3 de dezembro de 2015 13:19:38 UTC-3, Florian Apolloner escreveu: > > > > On Wednesday

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-03 Thread Florian Apolloner
On Wednesday, December 2, 2015 at 7:37:30 PM UTC+1, Flávio Junior wrote: > > If Django still needs > the strict > referrer check, maybe a better error message should be implemented. > I do not see any reason why it would not need it anymo

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-03 Thread Flávio Junior
That won't solve the problem. If you set policy to *No Referrer* and make a request to the same origin, Chrome sets Origin to "null", Firefox doesn't set the header and Safari sets the correct origin. Em quarta-feira, 2 de dezembro de 2015 16:01:51 UTC-3, Collin Anderson escreveu: > > Seems to

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-02 Thread Collin Anderson
Seems to me we could ignore the referrer if we get a valid same-domain Origin header. On Wed, Dec 2, 2015 at 1:29 PM, Flávio Junior wrote: > Some browsers already implement the Referrer Policy draft > , > which gives the

Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-02 Thread Flávio Junior
Some browsers already implement the Referrer Policy draft , which gives the developer more control over the referer HTTP header sent by the browser. Sometimes is useful to set a more private policy, like *Origin When Cro