Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

Some browsers already implement the Referrer Policy draft , which gives the developer more control over the referer HTTP header sent by the browser. Sometimes is useful to set a more private policy, like *Origin When Cro

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

creveu: > > Seems to me we could ignore the referrer if we get a valid same-domain > Origin header. > > On Wed, Dec 2, 2015 at 1:29 PM, Flávio Junior > wrote: > >> Some browsers already implement the Referrer Policy draft >> <https://w3c.github.io/webappsec-ref

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

> > > On Wednesday, December 2, 2015 at 7:37:30 PM UTC+1, Flávio Junior wrote: >> >> If Django still needs >> <https://code.djangoproject.com/ticket/17563#comment:2> the strict >> referrer check, maybe a better error message should be implemented. >> > &g

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

Found a issue that already discusses this: https://code.djangoproject.com/ticket/16870#comment:10 Em quinta-feira, 3 de dezembro de 2015 13:41:09 UTC-3, Flávio Junior escreveu: > > Florian, then Django will have to keep this limitation: can't use a global > no-referrer policy on

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

nderstanding of the >> limitation, could you submit a documentation patch (or even just provide >> some draft text here)? >> >> On Friday, December 4, 2015 at 8:25:35 AM UTC-5, Flávio Junior wrote: >>> >>> Found a issue that already discusses this: >>&

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

gt; On Wed, Dec 2, 2015 at 10:29 AM, Flávio Junior > wrote: > > Also, I can't imagine now why, but some > > developer might want to disable referer header altogether, and can > easily do > > so by setting policy to No Referrer. > > Why is it unimaginable that

Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

Hi folks, after upgrading to Django 2.1, we noticed many occurrences of 403 CSRF errors for Safari 12 users. After days debugging the problem, we've pinpointed the issue to the Webkit Bug 188165: https://bugs.webkit.org/show_bug.cgi?id=188165 In simple terms, Safari 12 implementation of samesite

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

if 'Strict', AFAIK. > > So this is a Safari bug? > > > - User will not be able to make AJAX POST requests if > CSRF_COOKIE_SAMESITE = 'Lax', because JS code won't be able to read the > CSRF cookie. > > I have to reread the specs, but shouldn&#x

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

Hey Mat, thanks for the input. Good to know SESSION_COOKIE_SAMESITE = None and CSRF_COOKIE_SAMESITE = None solved the issue 29975. Do you want to post there this solution? I can do it to. I've updated safari-samesite-cookie-issue to

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

x27;s blog or anywhere else? On Tuesday, March 19, 2019 at 5:58:01 AM UTC-3, Florian Apolloner wrote: > > > > On Monday, March 18, 2019 at 10:50:17 PM UTC+1, Flávio Junior wrote: >> >> What are the next steps? >> A warning at the docs for these settings? >> >

Re: Referrer Policy Delivery, Django shouldn't do strict referrer check anymore?

still need to rely on the referrer header. > > On Sat, Dec 5, 2015 at 3:42 AM, Florian Apolloner > wrote: > >> >> >> On Friday, December 4, 2015 at 8:03:45 PM UTC+1, Flávio Junior wrote: >>> >>> I can create a ticket suggesting Django to check Origin