Opened 10 years ago
Last modified 9 years ago
#24496 closed New feature
Check CSRF Referer against CSRF_COOKIE_DOMAIN — at Initial Version
| Reported by: | Matt Robenolt | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | dev |
| Severity: | Normal | Keywords: | csrf 1.9 |
| Cc: | django@… | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Right now, if you try to share a CSRF token across a subdomain without https, everything works great since the Referer header isn't validated.
But over https, we want to be a bit more strict and make sure that the Referer is from another secure site, and also that the Referer matches where we think it should be coming from. The canonical source for where we think it should be from is CSRF_COOKIE_DOMAIN.
If we set our CSRF_COOKIE_DOMAIN to .example.com, that means our CSRF validation should work for www.example.com and foo.example.com. Not just strictly the domain the request is coming from.
Note:
See TracTickets
for help on using tickets.