-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF_TRUSTED_ORIGINS? #3
Comments
If I'm reading correctly, this would only be if you're making requests from a different domain or via something on the same domain that doesn't include the If that's the case, you'd use this when you are making POSTs via JS and/or from a different domain? I might be missing how this affects the default Django admin. My initial thought is that we could add it like this: CSRF_TRUSTED_ORIGINS = env.list("CSRF_TRUSTED_ORIGINS", default=[]) Does that seem reasonable? |
Modern browsers will set the Origin and this will be checked in preference to However, the point about subdomains is correct: if Origin matches the request host then this list is not consulted. This is the basic case, so an empty list seems a good default. (Indeed it is the default.) (I’m slightly sceptical about setting list values from string env vars, but I guess that’s a distraction at this point.) |
Thanks for the additional insight! I'm happy to bite on the distraction 😆 ... What is your concern about converting CSVs to a list? I can see it being an issue if you have commas in the string, but that wouldn't be the case for domains. Pydantic requires valid JSON to make this conversion, but that feels a little over the top to me. |
I gives me the 'eebies™ 😜 I'm sure it's fine (again ™ :) but once I'm passing more than a simple scalar I feel much happier with more than just strings. (If I had a full answer here I'd be pushing it, so do feel free to carry on regardless 🙂) |
In the cold light of morning, the issue is (as ever with these things) How quickly does an error show up? — the trouble with string values is typos go undetected until they trigger an error, and then there's a long debugging process. I'd rather catch those when defining the input values.
I don't think it's something to worry about here. Simple works in most cases. |
CSRF_TRUSTED_ORIGINS needs to be set for Django 4.0+ if you want any POST requests, aka the Django admin and any other form, to work in production.
Maybe something in
settings.py
or elsewhere to at least alert the user to this need?The text was updated successfully, but these errors were encountered: