From cfd8c918390cd5317621124d224a009196f8755c Mon Sep 17 00:00:00 2001
From: Chris Jerdonek <chris.jerdonek@gmail.com>
Date: Fri, 26 Mar 2021 02:47:32 -0700
Subject: [PATCH] Refs #32596 -- Optimized CsrfViewMiddleware._check_referer()
 to delay computing good_referer.

---
 django/middleware/csrf.py | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index 82da2515d2..18af1d619a 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -274,6 +274,12 @@ class CsrfViewMiddleware(MiddlewareMixin):
         if referer.scheme != 'https':
             raise RejectRequest(REASON_INSECURE_REFERER)
 
+        if any(
+            is_same_domain(referer.netloc, host)
+            for host in self.csrf_trusted_origins_hosts
+        ):
+            return
+        # Allow matching the configured cookie domain.
         good_referer = (
             settings.SESSION_COOKIE_DOMAIN
             if settings.CSRF_USE_SESSIONS
@@ -286,18 +292,13 @@ class CsrfViewMiddleware(MiddlewareMixin):
                 # request.get_host() includes the port.
                 good_referer = request.get_host()
             except DisallowedHost:
-                pass
+                raise RejectRequest(REASON_BAD_REFERER % referer.geturl())
         else:
             server_port = request.get_port()
             if server_port not in ('443', '80'):
                 good_referer = '%s:%s' % (good_referer, server_port)
 
-        # Create an iterable of all acceptable HTTP referers.
-        good_hosts = self.csrf_trusted_origins_hosts
-        if good_referer is not None:
-            good_hosts = (*good_hosts, good_referer)
-
-        if not any(is_same_domain(referer.netloc, host) for host in good_hosts):
+        if not is_same_domain(referer.netloc, good_referer):
             raise RejectRequest(REASON_BAD_REFERER % referer.geturl())
 
     def process_request(self, request):