Opened 3 years ago

Last modified 3 years ago

#33360 closed Bug

Add missing support for `Origin: null` (`CSRF_TRUSTED_ORIGINS`) — at Version 2

Reported by: Tomasz Wójcik Owned by: nobody
Component: CSRF Version: 4.0
Severity: Normal Keywords: origin, CSRF_TRUSTED_ORIGINS, null
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Tomasz Wójcik)

In Django 4, #16010 has been released. It includes 2 changes that affect my project:

  • origins in CSRF_TRUSTED_ORIGINS are required to include an HTTP scheme
  • Origin header, if present in the request headers, will always be checked against CSRF_TRUSTED_ORIGINS

The problem is that by default when the project is running on localhost, browsers will always send Origin: null (correct me if I'm wrong).

if 'HTTP_ORIGIN' in request.META will always evaluate to True on localhost, even if Origin: null.
if request_origin in self.allowed_origins_exact will never evaluate to True on localhost, as null will never be a valid origin as it doesn't include a scheme.

As a result, it's impossible to POST a form on localhost.


  • If it's a regression to 16010, I'd propose changing

if 'HTTP_ORIGIN' in request.META

to

​if request.META.get('HTTP_ORIGIN') is not None

  • If it's a feature, I'd suggest adding the above or a setting CSRF_ALLOW_NULL_ORIGIN = False but it'd require a change in all projects migrating to v 4
  • if I am mistaken and the Origin header should be automatically populated by browsers with a non-null value when POSTing from localhost, this ticket can be closed (or maybe docs could be improved?)

Sample code that is failing on 4 and is working fine on 3.x

# settings
from corsheaders.defaults import default_headers

CORS_ALLOWED_ORIGINS = [
    "http://localhost:8000",
    "http://127.0.0.1:8000",
]
CSRF_TRUSTED_ORIGINS = [
    "http://localhost:8000",
    "http://127.0.0.1:8000",
    ]
# template
<form method="post">
    {% csrf_token %}
</form>

Error:

Origin checking failed - null does not match any trusted origins.

Request headers:

Host: localhost:8000
Origin: null

Even if I'm wrong, it's worth noting that the standard defines opaque origin when Origin will be set to null so technically this value should be supported anyway but I don't understand its (opaque origin) definition.
Let me know if there's something to do here. If yes, please assign me.

Change History (2)

comment:1 by Tomasz Wójcik, 3 years ago

I don't think I have the power to summon someone, but in 16010 Adam Johnson has been CCed and he once wrote

browsers send `Origin: null` for localhost/127.0.0.1

(I will try anyway): CC Adam Johnson please confirm if it still holds true.

comment:2 by Tomasz Wójcik, 3 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top