[Django] #35328: Improve CSRF Origin checking messaging
37 views
Skip to first unread message
Django
Mar 24, 2024, 10:44:36 PM3/24/24
to django-...@googlegroups.com
#35328: Improve CSRF Origin checking messaging
----------------------------------------+--------------------------
Reporter: Ryan Hiebert | Owner: nobody
Type: New feature | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+--------------------------
A very common misconfiguration is for the
`SECURE_PROXY_SSL_HEADER` setting to not be configured correctly. This
causes the origin checks to fail, but the messaging leads folks like me to
the `CSRF_TRUSTED_ORIGINS` setting, which is not really what you want in
this scenario. In some cases, like GitHub Codespaces, you may also need
the `USE_X_FORWARDED_HOST` setting as well.
I believe we can make some common scenarios easier to fix by improving our
error messaging. Particularly in `DEBUG` mode, we can show useful
information about their headers and give a suggestion about what fix might
be appropriate.
https://forum.djangoproject.com/t/forwarded-headers-csrf-hints/28616
--
Ticket URL: <https://code.djangoproject.com/ticket/35328>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
----------------------------------------+--------------------------
Reporter: Ryan Hiebert | Owner: nobody
Type: New feature | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+--------------------------
A very common misconfiguration is for the
`SECURE_PROXY_SSL_HEADER` setting to not be configured correctly. This
causes the origin checks to fail, but the messaging leads folks like me to
the `CSRF_TRUSTED_ORIGINS` setting, which is not really what you want in
this scenario. In some cases, like GitHub Codespaces, you may also need
the `USE_X_FORWARDED_HOST` setting as well.
I believe we can make some common scenarios easier to fix by improving our
error messaging. Particularly in `DEBUG` mode, we can show useful
information about their headers and give a suggestion about what fix might
be appropriate.
https://forum.djangoproject.com/t/forwarded-headers-csrf-hints/28616
--
Ticket URL: <https://code.djangoproject.com/ticket/35328>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Mar 25, 2024, 11:08:15 AM3/25/24
to django-...@googlegroups.com
#35328: Improve CSRF Origin checking messaging
--------------------------------------+------------------------------------
Reporter: Ryan Hiebert | Owner: nobody
Type: Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Natalia Bidart):
* cc: Carlton Gibson, tim-schilling (added)
* stage: Unreviewed => Accepted
* type: New feature => Cleanup/optimization
Comment:
Accepting following the linked Forum discussion.
--
Ticket URL: <https://code.djangoproject.com/ticket/35328#comment:1>
Django
Mar 25, 2024, 5:07:51 PM3/25/24
to django-...@googlegroups.com
#35328: Improve CSRF Origin checking messaging
--------------------------------------+------------------------------------
Reporter: Ryan Hiebert | Owner: nobody
Type: Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
--------------------------------------+------------------------------------
Reporter: Ryan Hiebert | Owner: nobody
Type: Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Mariusz Felisiak):
--------------------------------------+------------------------------------
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/35328#comment:2>
Django
Mar 29, 2024, 11:10:47 PM3/29/24
to django-...@googlegroups.com
#35328: Improve CSRF Origin checking messaging
--------------------------------------+------------------------------------
Reporter: Ryan Hiebert | Owner: nobody
Type: Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
--------------------------------------+------------------------------------
Reporter: Ryan Hiebert | Owner: nobody
Type: Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Ryan Hiebert):
--------------------------------------+------------------------------------
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/35328#comment:3>
Django
Apr 7, 2024, 7:57:34 AM4/7/24
to django-...@googlegroups.com
#35328: Improve CSRF Origin checking messaging
-------------------------------------+-------------------------------------
Reporter: Ryan Hiebert | Owner: Ryan
Type: | Hiebert
Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Ryan Hiebert):
* owner: nobody => Ryan Hiebert
--
Ticket URL: <https://code.djangoproject.com/ticket/35328#comment:4>
Django
Apr 25, 2024, 10:34:57 AM4/25/24
to django-...@googlegroups.com
#35328: Improve CSRF Origin checking messaging
-------------------------------------+-------------------------------------
Reporter: Ryan Hiebert | Owner: Ryan
Type: | Hiebert
Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-------------------------------------+-------------------------------------
Reporter: Ryan Hiebert | Owner: Ryan
Type: | Hiebert
Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
-------------------------------------+-------------------------------------
* needs_better_patch: 0 => 1
Ticket URL: <https://code.djangoproject.com/ticket/35328#comment:5>
Django
May 20, 2024, 9:48:18 PM5/20/24
to django-...@googlegroups.com
#35328: Improve CSRF Origin checking messaging
-------------------------------------+-------------------------------------
Reporter: Ryan Hiebert | Owner: Ryan
Type: | Hiebert
Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Reporter: Ryan Hiebert | Owner: Ryan
Type: | Hiebert
Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
-------------------------------------+-------------------------------------
Changes (by Ryan Hiebert):
* needs_better_patch: 1 => 0
--
* needs_better_patch: 1 => 0
Ticket URL: <https://code.djangoproject.com/ticket/35328#comment:6>
Django
May 22, 2024, 6:06:22 AM5/22/24
to django-...@googlegroups.com
#35328: Improve CSRF Origin checking messaging
-------------------------------------+-------------------------------------
Reporter: Ryan Hiebert | Owner: Ryan
Type: | Hiebert
Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-------------------------------------+-------------------------------------
Reporter: Ryan Hiebert | Owner: Ryan
Type: | Hiebert
Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
* needs_better_patch: 0 => 1
--
* needs_better_patch: 0 => 1
Ticket URL: <https://code.djangoproject.com/ticket/35328#comment:7>
Django
May 22, 2024, 8:09:43 AM5/22/24
to django-...@googlegroups.com
#35328: Improve CSRF Origin checking messaging
-------------------------------------+-------------------------------------
Reporter: Ryan Hiebert | Owner: Ryan
Type: | Hiebert
Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Reporter: Ryan Hiebert | Owner: Ryan
Type: | Hiebert
Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
-------------------------------------+-------------------------------------
Changes (by Ryan Hiebert):
* needs_better_patch: 1 => 0
--
* needs_better_patch: 1 => 0
Ticket URL: <https://code.djangoproject.com/ticket/35328#comment:8>
Django
May 24, 2024, 11:06:57 AM5/24/24
to django-...@googlegroups.com
#35328: Improve CSRF Origin checking messaging
-------------------------------------+-------------------------------------
Reporter: Ryan Hiebert | Owner: Ryan
Type: | Hiebert
Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-------------------------------------+-------------------------------------
Reporter: Ryan Hiebert | Owner: Ryan
Type: | Hiebert
Cleanup/optimization | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
* needs_better_patch: 0 => 1
--
* needs_better_patch: 0 => 1
Ticket URL: <https://code.djangoproject.com/ticket/35328#comment:9>
Reply all
Reply to author
Forward
0 new messages