summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorJoshua Kehn <josh@kehn.us>2015-08-31 22:32:03 -0400
committerTim Graham <timograham@gmail.com>2015-09-05 09:19:57 -0400
commitab26b65b2f178597be845e203eb698e193e3502e (patch)
tree0373fa71f7f14e4bd4b24efe36554741144209ba /tests
parent48c420d99209b147b58d7b873d1b54f76249c8dc (diff)
Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests.
Diffstat (limited to 'tests')
-rw-r--r--tests/csrf_tests/tests.py13
1 files changed, 13 insertions, 0 deletions
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py
index 2d347ccdde..aaa9a6969a 100644
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -352,6 +352,19 @@ class CsrfViewMiddlewareTest(SimpleTestCase):
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertIsNone(req2)
+ @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['dashboard.example.com'])
+ def test_https_csrf_trusted_origin_allowed(self):
+ """
+ A POST HTTPS request with a referer added to the CSRF_TRUSTED_ORIGINS
+ setting is accepted.
+ """
+ req = self._get_POST_request_with_token()
+ req._is_secure_override = True
+ req.META['HTTP_HOST'] = 'www.example.com'
+ req.META['HTTP_REFERER'] = 'https://dashboard.example.com'
+ req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+ self.assertIsNone(req2)
+
def test_ensures_csrf_cookie_no_middleware(self):
"""
Tests that ensures_csrf_cookie decorator fulfils its promise