Wednesday, September 28, 2011

Re: Disable HTTP Referer checking

On Wed, Sep 28, 2011 at 4:03 PM, sspross <spross@allink.ch> wrote:
> hi tom
>
> thanks for your reply, but
>
> i'm don't want to disable a whole view, just disabling the http
> referer checking in https.
>
> silvan
>

Oh I see - my bad.

There's no way to disable this check, looking at the source code.

The CSRF middleware will automatically accept a request, regardless of
the referrer/CSRF tokens provided, if the request has the attribute
'_dont_enforce_csrf_checks' set to True.
This is meant to be for the test suite to skip CSRF checks (I think),
but you could abuse it, eg by adding some middleware which checks that
the call is valid and adding that attribute if you think the request
is genuine.

Cheers

Tom

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment