mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Refs #16870 -- Doc'd that CSRF protection requires the Referer header.
This commit is contained in:
parent
e1cd5a76d7
commit
0af14b2eaa
@ -41,6 +41,7 @@ CSRF_FAILURE_TEMPLATE = """
|
||||
{% if no_referer %}
|
||||
<p>{{ no_referer1 }}</p>
|
||||
<p>{{ no_referer2 }}</p>
|
||||
<p>{{ no_referer3 }}</p>
|
||||
{% endif %}
|
||||
{% if no_cookie %}
|
||||
<p>{{ no_cookie1 }}</p>
|
||||
@ -119,6 +120,13 @@ def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME):
|
||||
"If you have configured your browser to disable 'Referer' headers, "
|
||||
"please re-enable them, at least for this site, or for HTTPS "
|
||||
"connections, or for 'same-origin' requests."),
|
||||
'no_referer3': _(
|
||||
"If you are using the <meta name=\"referrer\" "
|
||||
"content=\"no-referrer\"> tag or including the 'Referrer-Policy: "
|
||||
"no-referrer' header, please remove them. The CSRF protection "
|
||||
"requires the 'Referer' header to do strict referer checking. If "
|
||||
"you're concerned about privacy, use alternatives like "
|
||||
"<a rel=\"noreferrer\" ...> for links to third-party sites."),
|
||||
'no_cookie': reason == REASON_NO_CSRF_COOKIE,
|
||||
'no_cookie1': _(
|
||||
"You are seeing this message because this site requires a CSRF "
|
||||
|
@ -315,7 +315,19 @@ the HOST header <host-headers-virtual-hosting>` and that there aren't any
|
||||
(because XSS vulnerabilities already let an attacker do anything a CSRF
|
||||
vulnerability allows and much worse).
|
||||
|
||||
.. admonition:: Removing the ``Referer`` header
|
||||
|
||||
To avoid disclosing the referrer URL to third-party sites, you might want
|
||||
to `disable the referer`_ on your site's ``<a>`` tags. For example, you
|
||||
might use the ``<meta name="referrer" content="no-referrer">`` tag or
|
||||
include the ``Referrer-Policy: no-referrer`` header. Due to the CSRF
|
||||
protection's strict referer checking on HTTPS requests, those techniques
|
||||
cause a CSRF failure on requests with 'unsafe' methods. Instead, use
|
||||
alternatives like ``<a rel="noreferrer" ...>"`` for links to third-party
|
||||
sites.
|
||||
|
||||
.. _BREACH: http://breachattack.com/
|
||||
.. _disable the referer: https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery
|
||||
|
||||
Caching
|
||||
=======
|
||||
|
@ -55,6 +55,13 @@ class CsrfViewTests(SimpleTestCase):
|
||||
'HTTPS connections, or for 'same-origin' requests.',
|
||||
status_code=403,
|
||||
)
|
||||
self.assertContains(
|
||||
response,
|
||||
'If you are using the <meta name="referrer" '
|
||||
'content="no-referrer"> tag or including the '
|
||||
''Referrer-Policy: no-referrer' header, please remove them.',
|
||||
status_code=403,
|
||||
)
|
||||
|
||||
def test_no_cookies(self):
|
||||
"""
|
||||
|
Loading…
Reference in New Issue
Block a user