Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

Added proper code comments for the HTTPS CSRF protection.

Refs #13489 which noticed a vague comment - thanks pmclanahan

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
1 parent c724ad9 commit f92a21daa78f4f1b34c0188d6d764a5992f94adc @spookylukey spookylukey committed
Showing with 16 additions and 2 deletions.
  1. +16 −2 django/middleware/
18 django/middleware/
@@ -126,13 +126,27 @@ def accept():
return accept()
if request.is_secure():
- # Strict referer checking for HTTPS
+ # Suppose user visits
+ # An active network attacker,(man-in-the-middle, MITM) sends a
+ # POST form which targets and
+ # submits it via javascript.
+ #
+ # The attacker will need to provide a CSRF cookie and token, but
+ # that is no problem for a MITM and the session independent
+ # nonce we are using. So the MITM can circumvent the CSRF
+ # protection. This is true for any HTTP connection, but anyone
+ # using HTTPS expects better! For this reason, for
+ # we need additional protection that treats
+ # as completely untrusted. Under HTTPS,
+ # Barth et al. found that the Referer header is missing for
+ # same-domain requests in only about 0.2% of cases or less, so
+ # we can use strict Referer checking.
referer = request.META.get('HTTP_REFERER')
if referer is None:
return reject("Referer checking failed - no Referer.")
# The following check ensures that the referer is HTTPS,
- # the domains match and the ports match. This might be too strict.
+ # the domains match and the ports match - the same origin policy.
good_referer = 'https://%s/' % request.get_host()
if not referer.startswith(good_referer):
return reject("Referer checking failed - %s does not match %s." %

0 comments on commit f92a21d

Please sign in to comment.
Something went wrong with that request. Please try again.