Disable HTTP Referer checking

[sspross]

hi

is it possible to deactivate the http referer checking in the Cross
Site Request Forgery protection?

https://docs.djangoproject.com/en/dev/ref/contrib/csrf/

a flash application sends my django app a form and in flash we can't
set an Referer Header. So in case of HTTPS it fails.

regards,
silvan

[Tom Evans]

On the page you linked to:

https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#csrf-protection-should-be-disabled-for-just-a-few-views

HTH

Tom

[sspross]

hi tom

thanks for your reply, but

i'm don't want to disable a whole view, just disabling the http
referer checking in https.

silvan

> https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#csrf-protecti...
>
> HTH
>
> Tom

[Tom Evans]

On Wed, Sep 28, 2011 at 4:03 PM, sspross <spr...@allink.ch> wrote:
> hi tom
>
> thanks for your reply, but
>
> i'm don't want to disable a whole view, just disabling the http
> referer checking in https.
>
> silvan
>

Oh I see - my bad.

There's no way to disable this check, looking at the source code.

The CSRF middleware will automatically accept a request, regardless of
the referrer/CSRF tokens provided, if the request has the attribute
'_dont_enforce_csrf_checks' set to True.
This is meant to be for the test suite to skip CSRF checks (I think),
but you could abuse it, eg by adding some middleware which checks that
the call is valid and adding that attribute if you think the request
is genuine.

Cheers

Tom

[sspross]

On Sep 28, 5:19 pm, Tom Evans <tevans...@googlemail.com> wrote:
> On Wed, Sep 28, 2011 at 4:03 PM, sspross <spr...@allink.ch> wrote:
> > hi tom
>
> > thanks for your reply, but
>
> > i'm don't want to disable a whole view, just disabling the http
> > referer checking in https.
>
> > silvan
>

Thanks Tom, I will take a closer look at this!

Silvan

[Siphiwe Gwebu]

Did you ever have any luck with disabling referer checnking?