Home > mailing lists

Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default - Mailing list pgsql-www

From	Marti Raudsepp
Subject	Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
Date	November 2, 2012 18:10:32
Msg-id	CABRT9RCBOJUM4hdE0PWhUVfL67t8ZbPJj2hDLeVuHoeCcsA4ow@mail.gmail.com Whole thread Raw
In response to	Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default (Magnus Hagander <magnus@hagander.net>)
Responses	Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default
List	pgsql-www

Tree view

On Fri, Nov 2, 2012 at 4:32 PM, Magnus Hagander <magnus@hagander.net> wrote:
> No, that's not a problem. We strip cookies in varnish by default. We only
> support them over https...

Ahhh! That explains everything. I wasn't aware of the magic that
happens on the proxy level. I thought you were relying on Django to
not send cookies when not necessary, and the proxy respected the HTTP
headers sent by Django like a conforming HTTP proxy.

The attached patch adds @csrf_exempt to the survey view and removes
csrf_token from the template.

> if we have any other such pages (other than the search, but we can certainly
> disable CSRF for search, right?)

Search uses GET parameters so it already bypasses CSRF.

Regards,
Marti

Attachment

0001-Enable-CsrfViewMiddleware-make-CSRF-protection-requi.patch

pgsql-www by date:

From: Magnus Hagander
Date: 02 November 2012, 17:36:27
Subject: Re: Search points to ancient manuals

From: Magnus Hagander
Date: 05 November 2012, 16:12:34
Subject: Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default

Re: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default - Mailing list pgsql-www

Attachment

Previous

Next