Aas a data point, I've customized my csrf checking to skip the referrer
checking if there's a correct origin header. Though yes, it doesn't work in
some browsers. (I haven't set up Referrer-Policy so that hasn't been an
issue for me yet.)
I think it's worth mentioning too that same-site cookies ar
Not neccessarily, one could still use the Origin header in cases where
software strips the Referer and if you set the Referrer-Policy to
same-origin you shouldn't have problems with firefox either.
On Saturday, November 10, 2018 at 1:42:41 PM UTC+1, Adam Johnson wrote:
>
> I would think that fea
I would think that feature flag rules it out for a long time?
On Sat, 10 Nov 2018 at 09:52, Florian Apolloner
wrote:
> Wouldn't one alternative be checking the Origin header? It appears though
> that all browsers support it with the sad exception that it is still behind
> a feature flag in Firef
Wouldn't one alternative be checking the Origin header? It appears though
that all browsers support it with the sad exception that it is still behind
a feature flag in Firefox. :/
(https://bugzilla.mozilla.org/show_bug.cgi?id=1424076)
On Saturday, November 10, 2018 at 1:03:08 AM UTC+1, Adam Joh
I also discovered a similar problem recently when deploying the
"Referrer-Policy" header using James Bennett's library:
https://django-referrer-policy.readthedocs.io/en/stable/ . Initially I
opted for 'no-referrer' as I figured it was the most secure, but since this
check is only done on HTTPS-enab
Currently, Django's CSRF middleware will reject any 'non-safe' HTTPS
request that lacks a Referer header:
https://github.com/django/django/blob/22e8ab02863819093832de9f771bf40a62a6bd4a/django/middleware/
csrf.py#L242
However, some users may prevent their browsers from sending the Referer
he
