use Referer instead of Origin when using IE

* IE10 (and 11) do not send HTTP_ORIGIN when requesting a URL no in
    the same origin, although recommended by WHATWG [1]
  * if IE10 is used, use the referer. If this header is supressed by the
    user, it won't work (and I don't care).

IE10 needs to die, seriously:

> We have a long-standing interoperability difference with other browsers
> where we treat different ports as same-origin whereas other browsers
> treat them as cross-origin.

via https://connect.microsoft.com/IE/feedback/details/781303/origin-header-is-not-added-to-cors-requests-to-same-domain-but-different-port

[1] http://tools.ietf.org/html/draft-abarth-origin-09
This commit is contained in:
Martin Zimmermann 2013-12-02 12:06:07 +01:00
parent 4c16ba76cc
commit 9a03cca793

View File

@ -12,6 +12,7 @@ from werkzeug.http import dump_cookie
from werkzeug.routing import Rule from werkzeug.routing import Rule
from werkzeug.wrappers import Response from werkzeug.wrappers import Response
from werkzeug.exceptions import BadRequest, Forbidden, NotFound from werkzeug.exceptions import BadRequest, Forbidden, NotFound
from werkzeug.useragents import UserAgent
from isso.compat import text_type as str from isso.compat import text_type as str
@ -44,6 +45,9 @@ def csrf(view):
def dec(self, environ, request, *args, **kwargs): def dec(self, environ, request, *args, **kwargs):
if UserAgent(environ).browser == "msie": # yup
origin = request.headers.get("Referer", "")
else:
origin = request.headers.get("Origin", "") origin = request.headers.get("Origin", "")
if parse.host(origin) not in map(parse.host, self.conf.getiter("host")): if parse.host(origin) not in map(parse.host, self.conf.getiter("host")):
raise Forbidden("CSRF") raise Forbidden("CSRF")