summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlávio Juvenal <flaviojuvenal@gmail.com>2017-05-24 16:36:45 -0700
committerTim Graham <timograham@gmail.com>2017-06-22 11:50:00 -0400
commit0af14b2eaa0bf0821a8aacc8486489a1eb348397 (patch)
tree36aeed00ae415f909278cea45e3d242990e39599
parente1cd5a76d739210ae3b45d2c5f1ac7a556d6fa53 (diff)
Refs #16870 -- Doc'd that CSRF protection requires the Referer header.
-rw-r--r--django/views/csrf.py8
-rw-r--r--docs/ref/csrf.txt12
-rw-r--r--tests/view_tests/tests/test_csrf.py7
3 files changed, 27 insertions, 0 deletions
diff --git a/django/views/csrf.py b/django/views/csrf.py
index 6119f3b49d..0689df84e4 100644
--- a/django/views/csrf.py
+++ b/django/views/csrf.py
@@ -41,6 +41,7 @@ CSRF_FAILURE_TEMPLATE = """
{% if no_referer %}
<p>{{ no_referer1 }}</p>
<p>{{ no_referer2 }}</p>
+ <p>{{ no_referer3 }}</p>
{% endif %}
{% if no_cookie %}
<p>{{ no_cookie1 }}</p>
@@ -119,6 +120,13 @@ def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME):
"If you have configured your browser to disable 'Referer' headers, "
"please re-enable them, at least for this site, or for HTTPS "
"connections, or for 'same-origin' requests."),
+ 'no_referer3': _(
+ "If you are using the <meta name=\"referrer\" "
+ "content=\"no-referrer\"> tag or including the 'Referrer-Policy: "
+ "no-referrer' header, please remove them. The CSRF protection "
+ "requires the 'Referer' header to do strict referer checking. If "
+ "you're concerned about privacy, use alternatives like "
+ "<a rel=\"noreferrer\" ...> for links to third-party sites."),
'no_cookie': reason == REASON_NO_CSRF_COOKIE,
'no_cookie1': _(
"You are seeing this message because this site requires a CSRF "
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt
index 802d7251ab..dd5ea479ae 100644
--- a/docs/ref/csrf.txt
+++ b/docs/ref/csrf.txt
@@ -315,7 +315,19 @@ the HOST header <host-headers-virtual-hosting>` and that there aren't any
(because XSS vulnerabilities already let an attacker do anything a CSRF
vulnerability allows and much worse).
+.. admonition:: Removing the ``Referer`` header
+
+ To avoid disclosing the referrer URL to third-party sites, you might want
+ to `disable the referer`_ on your site's ``<a>`` tags. For example, you
+ might use the ``<meta name="referrer" content="no-referrer">`` tag or
+ include the ``Referrer-Policy: no-referrer`` header. Due to the CSRF
+ protection's strict referer checking on HTTPS requests, those techniques
+ cause a CSRF failure on requests with 'unsafe' methods. Instead, use
+ alternatives like ``<a rel="noreferrer" ...>"`` for links to third-party
+ sites.
+
.. _BREACH: http://breachattack.com/
+.. _disable the referer: https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery
Caching
=======
diff --git a/tests/view_tests/tests/test_csrf.py b/tests/view_tests/tests/test_csrf.py
index 8a3f86c376..4c20cb897d 100644
--- a/tests/view_tests/tests/test_csrf.py
+++ b/tests/view_tests/tests/test_csrf.py
@@ -55,6 +55,13 @@ class CsrfViewTests(SimpleTestCase):
'HTTPS connections, or for &#39;same-origin&#39; requests.',
status_code=403,
)
+ self.assertContains(
+ response,
+ 'If you are using the &lt;meta name=&quot;referrer&quot; '
+ 'content=&quot;no-referrer&quot;&gt; tag or including the '
+ '&#39;Referrer-Policy: no-referrer&#39; header, please remove them.',
+ status_code=403,
+ )
def test_no_cookies(self):
"""