summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/csrf_tests/tests.py17
1 files changed, 17 insertions, 0 deletions
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py
index 987ecd31c5..54570dca42 100644
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -375,6 +375,23 @@ class CsrfViewMiddlewareTest(SimpleTestCase):
req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertIsNone(req2)
+ @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com', USE_X_FORWARDED_PORT=True)
+ def test_https_good_referer_behind_proxy(self):
+ """
+ A POST HTTPS request is accepted when USE_X_FORWARDED_PORT=True.
+ """
+ req = self._get_POST_request_with_token()
+ req._is_secure_override = True
+ req.META.update({
+ 'HTTP_HOST': '10.0.0.2',
+ 'HTTP_REFERER': 'https://www.example.com/somepage',
+ 'SERVER_PORT': '8080',
+ 'HTTP_X_FORWARDED_HOST': 'www.example.com',
+ 'HTTP_X_FORWARDED_PORT': '443',
+ })
+ req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
+ self.assertIsNone(req2)
+
@override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['dashboard.example.com'])
def test_https_csrf_trusted_origin_allowed(self):
"""