Wednesday, September 28, 2011

Re: Disable HTTP Referer checking

On Sep 28, 5:19 pm, Tom Evans <tevans...@googlemail.com> wrote:
> On Wed, Sep 28, 2011 at 4:03 PM, sspross <spr...@allink.ch> wrote:
> > hi tom
>
> > thanks for your reply, but
>
> > i'm don't want to disable a whole view, just disabling the http
> > referer checking in https.
>
> > silvan
>
Thanks Tom, I will take a closer look at this!

Silvan

> Oh I see - my bad.
>
> There's no way to disable this check, looking at the source code.
>
> The CSRF middleware will automatically accept a request, regardless of
> the referrer/CSRF tokens provided, if the request has the attribute
> '_dont_enforce_csrf_checks' set to True.
> This is meant to be for the test suite to skip CSRF checks (I think),
> but you could abuse it, eg by adding some middleware which checks that
> the call is valid and adding that attribute if you think the request
> is genuine.
>
> Cheers
>
> Tom

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment