Ah; now that I understand the purpose of the check, it all makes sense
to me. Thanks, Paul!
-Dave
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from
This check prevents a MITM from injecting an HTTP based form/csrf
token pair along with javascript to auto-submit it to an HTTPS target.
Any HTTP request is vulnerable to all kinds of MITM and there's
nothing we can do about it, but an HTTPS-based request should be as
secure as possible even with
If you're using HTTPS, the CsrfViewMiddleware performs a same_origin
check on the domain.
Two questions:
1. What security issue does this prevent? (I assume some kind of MITM,
but I don't understand why would be important for HTTPS and not for
HTTP.)
2. Because the check uses request.get_host(),
