diff options
| author | Joshua Kehn <josh@kehn.us> | 2015-08-31 22:32:03 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-09-05 09:19:57 -0400 |
| commit | ab26b65b2f178597be845e203eb698e193e3502e (patch) | |
| tree | 0373fa71f7f14e4bd4b24efe36554741144209ba /tests | |
| parent | 48c420d99209b147b58d7b873d1b54f76249c8dc (diff) | |
Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/csrf_tests/tests.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py index 2d347ccdde..aaa9a6969a 100644 --- a/tests/csrf_tests/tests.py +++ b/tests/csrf_tests/tests.py @@ -352,6 +352,19 @@ class CsrfViewMiddlewareTest(SimpleTestCase): req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) self.assertIsNone(req2) + @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['dashboard.example.com']) + def test_https_csrf_trusted_origin_allowed(self): + """ + A POST HTTPS request with a referer added to the CSRF_TRUSTED_ORIGINS + setting is accepted. + """ + req = self._get_POST_request_with_token() + req._is_secure_override = True + req.META['HTTP_HOST'] = 'www.example.com' + req.META['HTTP_REFERER'] = 'https://dashboard.example.com' + req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) + self.assertIsNone(req2) + def test_ensures_csrf_cookie_no_middleware(self): """ Tests that ensures_csrf_cookie decorator fulfils its promise |
