Issue with CsrfViewMiddleware and "referer" checking for trusted and secure subdomains

2015-05-28 Thread Troy Grosfield
I have the following domain and subdomains both are trusted and both are secure (https): - https://example.com - https://api.example.com When making POST ajax request from *https://example.com* to *https://api.example.com* I see the following error message: 1. detail: "CSRF Failed: R

Re: Issue with CsrfViewMiddleware and "referer" checking for trusted and secure subdomains

2015-05-28 Thread Troy Grosfield
> > Forgive me, but wouldn't you just declare those views as csrf_exempt? A > csrf token at one site isn't going to be valid at another, right? > > On Friday, 29 May 2015 13:44:42 UTC+10, Troy Grosfield wrote: >> >> I have the following domain and subdom

Re: Issue with CsrfViewMiddleware and "referer" checking for trusted and secure subdomains

2015-05-29 Thread Troy Grosfield
orales wrote: > > On Fri, May 29, 2015 at 12:41 AM, Troy Grosfield > > wrote: > > > > I have the following domain and subdomains both are trusted and both are > secure (https): > > > > https://example.com > > https://api.example.com > >

Re: Issue with CsrfViewMiddleware and "referer" checking for trusted and secure subdomains

2015-05-29 Thread Troy Grosfield
This same issue is being discussed here as well: - https://groups.google.com/forum/#!topic/django-developers/tEEw02RhV0M On Friday, May 29, 2015 at 8:23:43 AM UTC-6, Troy Grosfield wrote: > > Thanks @andre for the idea. I have seen the stuff from > django-cors-headers and use

Re: Feedback #24496 - Check CSRF Referer against CSRF_COOKIE_DOMAIN

2015-05-29 Thread Troy Grosfield
I just recently posted on the same issue: - https://groups.google.com/forum/#!topic/django-developers/6kUiODYObnU I definitely would like to see some change to make communicating between trusted subdomains easier. In my case it's *https://example.com* posting data to *https://api.exampl