use Referer instead of Origin when using IE

* IE10 (and 11) do not send HTTP_ORIGIN when requesting a URL no in the same origin, although recommended by WHATWG [1] * if IE10 is used, use the referer. If this header is supressed by the user, it won't work (and I don't care). IE10 needs to die, seriously: > We have a long-standing interoperability difference with other browsers > where we treat different ports as same-origin whereas other browsers > treat them as cross-origin. via https://connect.microsoft.com/IE/feedback/details/781303/origin-header-is-not-added-to-cors-requests-to-same-domain-but-different-port [1] http://tools.ietf.org/html/draft-abarth-origin-09
isso-comments · Dec 2, 2013 · 9a03cca · 9a03cca
1 parent 4c16ba7
commit 9a03cca
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/isso/views/comments.py b/isso/views/comments.py
@@ -12,6 +12,7 @@
 from werkzeug.routing import Rule
 from werkzeug.wrappers import Response
 from werkzeug.exceptions import BadRequest, Forbidden, NotFound
+from werkzeug.useragents import UserAgent
 
 from isso.compat import text_type as str
 
@@ -44,7 +45,10 @@ def csrf(view):
 
     def dec(self, environ, request, *args, **kwargs):
 
-        origin = request.headers.get("Origin", "")
+        if UserAgent(environ).browser == "msie":  # yup
+            origin = request.headers.get("Referer", "")
+        else:
+            origin = request.headers.get("Origin", "")
         if parse.host(origin) not in map(parse.host, self.conf.getiter("host")):
             raise Forbidden("CSRF")