On 01/02/2011 07:40, Scott Bennett wrote: > I just tried to sign up for the "tor weather" email service. Clicking > on the subscribe button after entering the information requested in various > places earlier on the page yielded, > > Forbidden (403) > > CSRF verification failed. Request aborted. > > You are seeing this message because this HTTPS site requires a 'Referer header' to be sent > by your web browser, but none was sent. This header is required for security reasons, to > ensure that your browser is not being hijacked by third parties. > > If you have configured your browser to disable 'Referer' headers, please re-enable them, at > least for this site, or for HTTPS connections, or for 'same-origin' requests. > > More information is available with DEBUG=True. As a web developer who has discovered and defended against CSRF in the past, I feel I should express my opinion here. You should only use HTTP referrers to prevent CSRF as a quick fix whilst a proper system is put in place. A better way would be to embed a session ID in the form, pass it in the POST data, and then compare it against the session id on the server side. -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
Attachment:
signature.asc
Description: OpenPGP digital signature