[Django] #29802: Allow skipping CSRF check for Referer header
Django
-------------------------------------+-------------------------------------
Reporter: Aaron1011 | Owner: nobody
Type: New | Status: new
feature |
Component: CSRF | Version: 2.1
Severity: Normal | Keywords:
Triage Stage: | csrf,https,hsts,referer
Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Currently, Django's CSRF middleware will reject any 'non-safe' HTTPS
request that lacks a Referer header:
https://github.com/django/django/blob/22e8ab02863819093832de9f771bf40a62a6bd4a/django/middleware/csrf.py#L242
However, some users may prevent their browsers from sending the Referer
header, due to privacy concerns. These users are unable to submit 'non-
safe' requests (e.g. POST requests) on HTTPS-enabled Django-powered
website that uses CSRF protection.
For some websites, checking the Referer header may provide no added
security benefit. For example, an HSTS-preloaded website which controls
all of its subdomains has nothing to gain from this check - there are no
untrusted subdomains which can mount an attack, and HSTS prevents an HTTP
MITM attack.
To allow these websites to provide more flexibility to their users, Django
should support disabling this CSRF Referer check. This could be done
through a new setting, e.g. ' CSRF_REFERER_CHECK' (defaulting to 'True' to
avoid breaking existing sites).
--
Ticket URL: <https://code.djangoproject.com/ticket/29802>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Reporter: Aaron1011 | Owner: nobody
Component: CSRF | Version: 2.1
Severity: Normal | Resolution:
Keywords: | Triage Stage:
csrf,https,hsts,referer | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Old description:
> Currently, Django's CSRF middleware will reject any 'non-safe' HTTPS
> request that lacks a Referer header:
> https://github.com/django/django/blob/22e8ab02863819093832de9f771bf40a62a6bd4a/django/middleware/csrf.py#L242
>
> However, some users may prevent their browsers from sending the Referer
> header, due to privacy concerns. These users are unable to submit 'non-
> safe' requests (e.g. POST requests) on HTTPS-enabled Django-powered
> website that uses CSRF protection.
>
> For some websites, checking the Referer header may provide no added
> security benefit. For example, an HSTS-preloaded website which controls
> all of its subdomains has nothing to gain from this check - there are no
> untrusted subdomains which can mount an attack, and HSTS prevents an HTTP
> MITM attack.
>
> To allow these websites to provide more flexibility to their users,
> Django should support disabling this CSRF Referer check. This could be
> done through a new setting, e.g. ' CSRF_REFERER_CHECK' (defaulting to
> 'True' to avoid breaking existing sites).
New description:
Currently, Django's CSRF middleware will reject any 'non-safe' HTTPS
request that lacks a Referer header:
https://github.com/django/django/blob/22e8ab02863819093832de9f771bf40a62a6bd4a/django/middleware/csrf.py#L242
However, some users may prevent their browsers from sending the Referer
header, due to privacy concerns. These users are unable to submit 'non-
safe' requests (e.g. POST requests) on HTTPS-enabled Django-powered
website that use CSRF protection.
For some websites, checking the Referer header may provide no added
security benefit. For example, an HSTS-preloaded website which controls
all of its subdomains has nothing to gain from this check - there are no
untrusted subdomains which can mount an attack, and HSTS prevents an HTTP
MITM attack.
To allow these websites to provide more flexibility to their users, Django
should support disabling this CSRF Referer check. This could be done
through a new setting, e.g. ' CSRF_REFERER_CHECK' (defaulting to 'True' to
avoid breaking existing sites).
--
--
Ticket URL: <https://code.djangoproject.com/ticket/29802#comment:1>
Django
-------------------------------------+-------------------------------------
Reporter: Aaron1011 | Owner: nobody
Component: CSRF | Version: 2.1
Severity: Normal | Resolution:
Keywords: | Triage Stage:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Unreviewed => Someday/Maybe
Comment:
Please make your proposal on the DevelopersMailingList as the addition of
new settings requires a consensus.
--
Ticket URL: <https://code.djangoproject.com/ticket/29802#comment:2>
Django
-------------------------------------+-------------------------------------
Type: New feature | Status: closed
Component: CSRF | Version: 2.1
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage:
csrf,https,hsts,referer | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => wontfix
* stage: Someday/Maybe => Unreviewed
Comment:
Please first start a discussion on the DevelopersMailingList, where you'll
reach a wider audience and see what other think, and
[https://docs.djangoproject.com/en/stable/internals/contributing/bugs-and-
features/#requesting-features follow the guidelines with regards to
requesting features]. Thanks.
--
Ticket URL: <https://code.djangoproject.com/ticket/29802#comment:3>