Refs #16870 -- Doc'd that CSRF protection requires the Referer header.

This commit is contained in:
Flávio Juvenal 2017-05-24 16:36:45 -07:00 committed by Tim Graham
parent e1cd5a76d7
commit 0af14b2eaa
3 changed files with 27 additions and 0 deletions

View File

@ -41,6 +41,7 @@ CSRF_FAILURE_TEMPLATE = """
{% if no_referer %} {% if no_referer %}
<p>{{ no_referer1 }}</p> <p>{{ no_referer1 }}</p>
<p>{{ no_referer2 }}</p> <p>{{ no_referer2 }}</p>
<p>{{ no_referer3 }}</p>
{% endif %} {% endif %}
{% if no_cookie %} {% if no_cookie %}
<p>{{ no_cookie1 }}</p> <p>{{ no_cookie1 }}</p>
@ -119,6 +120,13 @@ def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME):
"If you have configured your browser to disable 'Referer' headers, " "If you have configured your browser to disable 'Referer' headers, "
"please re-enable them, at least for this site, or for HTTPS " "please re-enable them, at least for this site, or for HTTPS "
"connections, or for 'same-origin' requests."), "connections, or for 'same-origin' requests."),
'no_referer3': _(
"If you are using the <meta name=\"referrer\" "
"content=\"no-referrer\"> tag or including the 'Referrer-Policy: "
"no-referrer' header, please remove them. The CSRF protection "
"requires the 'Referer' header to do strict referer checking. If "
"you're concerned about privacy, use alternatives like "
"<a rel=\"noreferrer\" ...> for links to third-party sites."),
'no_cookie': reason == REASON_NO_CSRF_COOKIE, 'no_cookie': reason == REASON_NO_CSRF_COOKIE,
'no_cookie1': _( 'no_cookie1': _(
"You are seeing this message because this site requires a CSRF " "You are seeing this message because this site requires a CSRF "

View File

@ -315,7 +315,19 @@ the HOST header <host-headers-virtual-hosting>` and that there aren't any
(because XSS vulnerabilities already let an attacker do anything a CSRF (because XSS vulnerabilities already let an attacker do anything a CSRF
vulnerability allows and much worse). vulnerability allows and much worse).
.. admonition:: Removing the ``Referer`` header
To avoid disclosing the referrer URL to third-party sites, you might want
to `disable the referer`_ on your site's ``<a>`` tags. For example, you
might use the ``<meta name="referrer" content="no-referrer">`` tag or
include the ``Referrer-Policy: no-referrer`` header. Due to the CSRF
protection's strict referer checking on HTTPS requests, those techniques
cause a CSRF failure on requests with 'unsafe' methods. Instead, use
alternatives like ``<a rel="noreferrer" ...>"`` for links to third-party
sites.
.. _BREACH: http://breachattack.com/ .. _BREACH: http://breachattack.com/
.. _disable the referer: https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery
Caching Caching
======= =======

View File

@ -55,6 +55,13 @@ class CsrfViewTests(SimpleTestCase):
'HTTPS connections, or for &#39;same-origin&#39; requests.', 'HTTPS connections, or for &#39;same-origin&#39; requests.',
status_code=403, status_code=403,
) )
self.assertContains(
response,
'If you are using the &lt;meta name=&quot;referrer&quot; '
'content=&quot;no-referrer&quot;&gt; tag or including the '
'&#39;Referrer-Policy: no-referrer&#39; header, please remove them.',
status_code=403,
)
def test_no_cookies(self): def test_no_cookies(self):
""" """