use Referer instead of Origin when using IE

* IE10 (and 11) do not send HTTP_ORIGIN when requesting a URL no in the same origin, although recommended by WHATWG [1] * if IE10 is used, use the referer. If this header is supressed by the user, it won't work (and I don't care). IE10 needs to die, seriously: > We have a long-standing interoperability difference with other browsers > where we treat different ports as same-origin whereas other browsers > treat them as cross-origin. via https://connect.microsoft.com/IE/feedback/details/781303/origin-header-is-not-added-to-cors-requests-to-same-domain-but-different-port [1] http://tools.ietf.org/html/draft-abarth-origin-09
2013-12-02 12:06:07 +01:00 · 2013-12-02 12:06:07 +01:00 · 9a03cca793
commit 9a03cca793
parent 4c16ba76cc
1 changed files with 5 additions and 1 deletions
--- a/isso/views/comments.py
+++ b/isso/views/comments.py
@ -12,6 +12,7 @@ from werkzeug.http import dump_cookie
 from werkzeug.routing import Rule
 from werkzeug.wrappers import Response
 from werkzeug.exceptions import BadRequest, Forbidden, NotFound
+from werkzeug.useragents import UserAgent

 from isso.compat import text_type as str

@ -44,7 +45,10 @@ def csrf(view):

    def dec(self, environ, request, *args, **kwargs):

-        origin = request.headers.get("Origin", "")
+        if UserAgent(environ).browser == "msie":  # yup
+            origin = request.headers.get("Referer", "")
+        else:
+            origin = request.headers.get("Origin", "")
        if parse.host(origin) not in map(parse.host, self.conf.getiter("host")):
            raise Forbidden("CSRF")