I have the following domain and subdomains both are trusted and both are secure (https):
- https://example.com - https://api.example.com When making POST ajax request from *https://example.com* to *https://api.example.com* I see the following error message: 1. detail: "CSRF Failed: Referer checking failed - https://example.com/path/to/some/url does not match https://api.example.com/."; Which takes me to the *CsrfViewMiddleware* where I see *same_origin* checking: # Note that request.get_host() includes the port. good_referer = 'https://%s/' % request.get_host() if not same_origin(referer, good_referer): reason = REASON_BAD_REFERER % (referer, good_referer) return self._reject(request, reason) I trust my subdomain, but there's no way for this code to actually pass this validation. Am I just missing something? Why would trusted subdomains fail validation here? Can't this at least be a setting something like *TRUSTED_SUBDOMAINS* that's also checked? The other option I see here it to override the *CsrfViewMiddleware's* *process_view* method as others have done <http://bash-shell.net/blog/2014/aug/16/django-cors-and-csrf-validation/>. However, it ends up being a rather extensive rewrite for only the few lines, that are mentioned above, that need to change. Can we rewrite the *CsrfViewMiddleware *to be more modular so it's easy to subclass and overwrite pieces of the csrf vallidation? Something along the lines of: class CsrfViewMiddleware(object): def process_view(self, request, callback, callback_args, callback_kwargs): [...] # Assume that anything not defined as 'safe' by RFC2616 needs protection if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'): [...] if request.is_secure(): [...] # Note that request.get_host() includes the port. good_referer = 'https://%s/' % request.get_host() if not self.is_same_origin(referer, good_referer): reason = REASON_BAD_REFERER % (referer, good_referer) return self._reject(request, reason) [...] return self._accept(request) def is_same_origin(self, referer, good_referer): return same_origin(referer, good_referer): This at least gives the ability to override the *is_same_origin* method which would allow us to also check for legit subdomains (in this case https://api.example.com). Thoughts? -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/de9c2aca-c307-4715-b5e0-334a42bd6c2f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
