Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Added proper code comments for the HTTPS CSRF protection.

Refs #13489 which noticed a vague comment - thanks pmclanahan



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13405 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit f92a21daa78f4f1b34c0188d6d764a5992f94adc 1 parent c724ad9
Luke Plant spookylukey authored

Showing 1 changed file with 16 additions and 2 deletions. Show diff stats Hide diff stats

  1. +16 2 django/middleware/csrf.py
18 django/middleware/csrf.py
@@ -126,13 +126,27 @@ def accept():
126 126 return accept()
127 127
128 128 if request.is_secure():
129   - # Strict referer checking for HTTPS
  129 + # Suppose user visits http://example.com/
  130 + # An active network attacker,(man-in-the-middle, MITM) sends a
  131 + # POST form which targets https://example.com/detonate-bomb/ and
  132 + # submits it via javascript.
  133 + #
  134 + # The attacker will need to provide a CSRF cookie and token, but
  135 + # that is no problem for a MITM and the session independent
  136 + # nonce we are using. So the MITM can circumvent the CSRF
  137 + # protection. This is true for any HTTP connection, but anyone
  138 + # using HTTPS expects better! For this reason, for
  139 + # https://example.com/ we need additional protection that treats
  140 + # http://example.com/ as completely untrusted. Under HTTPS,
  141 + # Barth et al. found that the Referer header is missing for
  142 + # same-domain requests in only about 0.2% of cases or less, so
  143 + # we can use strict Referer checking.
130 144 referer = request.META.get('HTTP_REFERER')
131 145 if referer is None:
132 146 return reject("Referer checking failed - no Referer.")
133 147
134 148 # The following check ensures that the referer is HTTPS,
135   - # the domains match and the ports match. This might be too strict.
  149 + # the domains match and the ports match - the same origin policy.
136 150 good_referer = 'https://%s/' % request.get_host()
137 151 if not referer.startswith(good_referer):
138 152 return reject("Referer checking failed - %s does not match %s." %

0 comments on commit f92a21d

Please sign in to comment.
Something went wrong with that request. Please try again.