Opened 10 years ago

Last modified 9 years ago

#24496 closed New feature

Check CSRF Referer against CSRF_COOKIE_DOMAIN — at Initial Version

Reported by: Matt Robenolt Owned by: nobody
Component: CSRF Version: dev
Severity: Normal Keywords: csrf 1.9
Cc: django@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Right now, if you try to share a CSRF token across a subdomain without https, everything works great since the Referer header isn't validated.

But over https, we want to be a bit more strict and make sure that the Referer is from another secure site, and also that the Referer matches where we think it should be coming from. The canonical source for where we think it should be from is CSRF_COOKIE_DOMAIN.

If we set our CSRF_COOKIE_DOMAIN to .example.com, that means our CSRF validation should work for www.example.com and foo.example.com. Not just strictly the domain the request is coming from.

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top