django · jtinfors · Feb 6, 2013 · Feb 7, 2013 · Feb 6, 2013 · Feb 7, 2013
diff --git a/django/utils/http.py b/django/utils/http.py
@@ -226,7 +226,9 @@ def same_origin(url1, url2):
     Checks if two URLs are 'same-origin'
     """
     p1, p2 = urllib_parse.urlparse(url1), urllib_parse.urlparse(url2)
-    return (p1.scheme, p1.hostname, p1.port) == (p2.scheme, p2.hostname, p2.port)
+    p1_port = p1.port or { 'http': 80, 'https': 443 }[p1.scheme]
+    p2_port = p2.port or { 'http': 80, 'https': 443 }[p2.scheme]
+    return (p1.scheme, p1.hostname, p1_port) == (p2.scheme, p2.hostname, p2_port)
 
 def is_safe_url(url, host=None):
     """

diff --git a/tests/regressiontests/csrf_tests/tests.py b/tests/regressiontests/csrf_tests/tests.py
@@ -305,6 +305,22 @@ def test_https_good_referer_2(self):
         req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
         self.assertEqual(None, req2)
 
+    def test_https_good_referer_with_port_443(self):
+        req = self._get_POST_request_with_token()
+        req._is_secure_override = True
+        req.META['HTTP_HOST'] = 'www.example.com:443'
+        req.META['HTTP_REFERER'] = 'https://www.example.com/somepage'
+        req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+        self.assertEqual(None, req2)
+
+    def test_https_good_referer_with_port_80(self):
+        req = self._get_POST_request_with_token()
+        req._is_secure_override = True
+        req.META['HTTP_HOST'] = 'www.example.com:80'
+        req.META['HTTP_REFERER'] = 'https://www.example.com/somepage'
+        req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+        self.assertEqual(None, req2)
+
     def test_ensures_csrf_cookie_no_middleware(self):
         """
         Tests that ensures_csrf_cookie decorator fulfils its promise