Currently, Django's CSRF middleware will reject any 'non-safe' HTTPS request that lacks a Referer header: https://github.com/django/django/blob/22e8ab02863819093832de9f771bf40a62a6bd4a/django/middleware/ csrf.py#L242
However, some users may prevent their browsers from sending the Referer header, due to privacy concerns. These users are unable to submit 'non-safe' requests (e.g. POST requests) on HTTPS-enabled Django-powered website that use CSRF protection. For some websites, checking the Referer header may provide no added security benefit. For example, an HSTS-preloaded website which controls all of its subdomains has nothing to gain from this check - there are no untrusted subdomains which can mount an attack, and HSTS prevents an HTTP MITM attack. To allow these websites to provide more flexibility to their users, Django should support disabling this CSRF Referer check. This could be done through a new setting, e.g. ' CSRF_REFERER_CHECK' (defaulting to 'True' to avoid breaking existing sites). -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/bcc04352-cd39-485a-83ad-49d0608d6ccd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
