Refs #16870 -- Doc'd that CSRF protection requires the Referer header.
This commit is contained in:
parent
e1cd5a76d7
commit
0af14b2eaa
|
@ -41,6 +41,7 @@ CSRF_FAILURE_TEMPLATE = """
|
||||||
{% if no_referer %}
|
{% if no_referer %}
|
||||||
<p>{{ no_referer1 }}</p>
|
<p>{{ no_referer1 }}</p>
|
||||||
<p>{{ no_referer2 }}</p>
|
<p>{{ no_referer2 }}</p>
|
||||||
|
<p>{{ no_referer3 }}</p>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if no_cookie %}
|
{% if no_cookie %}
|
||||||
<p>{{ no_cookie1 }}</p>
|
<p>{{ no_cookie1 }}</p>
|
||||||
|
@ -119,6 +120,13 @@ def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME):
|
||||||
"If you have configured your browser to disable 'Referer' headers, "
|
"If you have configured your browser to disable 'Referer' headers, "
|
||||||
"please re-enable them, at least for this site, or for HTTPS "
|
"please re-enable them, at least for this site, or for HTTPS "
|
||||||
"connections, or for 'same-origin' requests."),
|
"connections, or for 'same-origin' requests."),
|
||||||
|
'no_referer3': _(
|
||||||
|
"If you are using the <meta name=\"referrer\" "
|
||||||
|
"content=\"no-referrer\"> tag or including the 'Referrer-Policy: "
|
||||||
|
"no-referrer' header, please remove them. The CSRF protection "
|
||||||
|
"requires the 'Referer' header to do strict referer checking. If "
|
||||||
|
"you're concerned about privacy, use alternatives like "
|
||||||
|
"<a rel=\"noreferrer\" ...> for links to third-party sites."),
|
||||||
'no_cookie': reason == REASON_NO_CSRF_COOKIE,
|
'no_cookie': reason == REASON_NO_CSRF_COOKIE,
|
||||||
'no_cookie1': _(
|
'no_cookie1': _(
|
||||||
"You are seeing this message because this site requires a CSRF "
|
"You are seeing this message because this site requires a CSRF "
|
||||||
|
|
|
@ -315,7 +315,19 @@ the HOST header <host-headers-virtual-hosting>` and that there aren't any
|
||||||
(because XSS vulnerabilities already let an attacker do anything a CSRF
|
(because XSS vulnerabilities already let an attacker do anything a CSRF
|
||||||
vulnerability allows and much worse).
|
vulnerability allows and much worse).
|
||||||
|
|
||||||
|
.. admonition:: Removing the ``Referer`` header
|
||||||
|
|
||||||
|
To avoid disclosing the referrer URL to third-party sites, you might want
|
||||||
|
to `disable the referer`_ on your site's ``<a>`` tags. For example, you
|
||||||
|
might use the ``<meta name="referrer" content="no-referrer">`` tag or
|
||||||
|
include the ``Referrer-Policy: no-referrer`` header. Due to the CSRF
|
||||||
|
protection's strict referer checking on HTTPS requests, those techniques
|
||||||
|
cause a CSRF failure on requests with 'unsafe' methods. Instead, use
|
||||||
|
alternatives like ``<a rel="noreferrer" ...>"`` for links to third-party
|
||||||
|
sites.
|
||||||
|
|
||||||
.. _BREACH: http://breachattack.com/
|
.. _BREACH: http://breachattack.com/
|
||||||
|
.. _disable the referer: https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery
|
||||||
|
|
||||||
Caching
|
Caching
|
||||||
=======
|
=======
|
||||||
|
|
|
@ -55,6 +55,13 @@ class CsrfViewTests(SimpleTestCase):
|
||||||
'HTTPS connections, or for 'same-origin' requests.',
|
'HTTPS connections, or for 'same-origin' requests.',
|
||||||
status_code=403,
|
status_code=403,
|
||||||
)
|
)
|
||||||
|
self.assertContains(
|
||||||
|
response,
|
||||||
|
'If you are using the <meta name="referrer" '
|
||||||
|
'content="no-referrer"> tag or including the '
|
||||||
|
''Referrer-Policy: no-referrer' header, please remove them.',
|
||||||
|
status_code=403,
|
||||||
|
)
|
||||||
|
|
||||||
def test_no_cookies(self):
|
def test_no_cookies(self):
|
||||||
"""
|
"""
|
||||||
|
|
Loading…
Reference in New Issue