From f92a21daa78f4f1b34c0188d6d764a5992f94adc Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Wed, 30 Jun 2010 22:30:37 +0000 Subject: [PATCH] Added proper code comments for the HTTPS CSRF protection. Refs #13489 which noticed a vague comment - thanks pmclanahan git-svn-id: http://code.djangoproject.com/svn/django/trunk@13405 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/middleware/csrf.py | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index 10fab290c9a..2fdfdbc9e38 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -126,13 +126,27 @@ class CsrfViewMiddleware(object): return accept() if request.is_secure(): - # Strict referer checking for HTTPS + # Suppose user visits http://example.com/ + # An active network attacker,(man-in-the-middle, MITM) sends a + # POST form which targets https://example.com/detonate-bomb/ and + # submits it via javascript. + # + # The attacker will need to provide a CSRF cookie and token, but + # that is no problem for a MITM and the session independent + # nonce we are using. So the MITM can circumvent the CSRF + # protection. This is true for any HTTP connection, but anyone + # using HTTPS expects better! For this reason, for + # https://example.com/ we need additional protection that treats + # http://example.com/ as completely untrusted. Under HTTPS, + # Barth et al. found that the Referer header is missing for + # same-domain requests in only about 0.2% of cases or less, so + # we can use strict Referer checking. referer = request.META.get('HTTP_REFERER') if referer is None: return reject("Referer checking failed - no Referer.") # The following check ensures that the referer is HTTPS, - # the domains match and the ports match. This might be too strict. + # the domains match and the ports match - the same origin policy. good_referer = 'https://%s/' % request.get_host() if not referer.startswith(good_referer): return reject("Referer checking failed - %s does not match %s." %