Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-04 Thread Flávio Junior
Yes Jon, makes sense, sorry for missing that. The only HTML-only solution I see for this is to manually add rel="noreferrer" to all external links on my webapp, which is a pain. With extra backend code, one might also implement something similar to https://anon.click/ to prevent referrer leaking.

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-04 Thread Jon Dufresne
On Wed, Dec 2, 2015 at 10:29 AM, Flávio Junior wrote: > Also, I can't imagine now why, but some > developer might want to disable referer header altogether, and can easily do > so by setting policy to No Referrer. Why is it unimaginable that I may want to maximize privacy for my users? The domain

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-04 Thread Flávio Junior
Hi Collin, Firefox doesn't include Origin header on same-origin POST/PUT/DELETE requests. I just tested it and this SO answer says the same . But yes, checking both Origin and Referer headers would help giving support Origin When Cross-Origin. I can c

Re: Validation of m2m

2015-12-04 Thread Federico Capoano
It could be a potential ticket to work on my next django dev sprint. But first it would be nice to have some basic consensus on how to proceed. Was it ever discussed in any older thread or ticket? On Thursday, December 3, 2015 at 5:21:06 PM UTC+1, Tim Graham wrote: > > Here's an open ticket ab

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-04 Thread Collin Anderson
Also, if we checked the origin header, would it allow us to at least support the "Origin When Cross-Origin" policy in all browsers? (Use the Origin header for Safari and the referrer for all of the other browsers?) On Fri, Dec 4, 2015 at 10:38 AM, Tim Graham wrote: > Flávio, thanks -- since you

Annotation failure (Combining multiple aggregations)

2015-12-04 Thread Paulo Maciel
Combining multiple aggregations with annotate() will yield the wrong results , as multiple tables are cross joined. Due to the use of LEFT OUTER JOIN, duplicate records will be generated if some of the joined tables contain more records than the other

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-04 Thread Tim Graham
Flávio, thanks -- since you seem to have a good understanding of the limitation, could you submit a documentation patch (or even just provide some draft text here)? On Friday, December 4, 2015 at 8:25:35 AM UTC-5, Flávio Junior wrote: > > Found a issue that already discusses this: > https://cod

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

2015-12-04 Thread Flávio Junior
Found a issue that already discusses this: https://code.djangoproject.com/ticket/16870#comment:10 Em quinta-feira, 3 de dezembro de 2015 13:41:09 UTC-3, Flávio Junior escreveu: > > Florian, then Django will have to keep this limitation: can't use a global > no-referrer policy on HTTPS because o