use Referer instead of Origin when using IE
* IE10 (and 11) do not send HTTP_ORIGIN when requesting a URL no in the same origin, although recommended by WHATWG [1] * if IE10 is used, use the referer. If this header is supressed by the user, it won't work (and I don't care). IE10 needs to die, seriously: > We have a long-standing interoperability difference with other browsers > where we treat different ports as same-origin whereas other browsers > treat them as cross-origin. via https://connect.microsoft.com/IE/feedback/details/781303/origin-header-is-not-added-to-cors-requests-to-same-domain-but-different-port [1] http://tools.ietf.org/html/draft-abarth-origin-09
This commit is contained in:
parent
4c16ba76cc
commit
9a03cca793
@ -12,6 +12,7 @@ from werkzeug.http import dump_cookie
|
|||||||
from werkzeug.routing import Rule
|
from werkzeug.routing import Rule
|
||||||
from werkzeug.wrappers import Response
|
from werkzeug.wrappers import Response
|
||||||
from werkzeug.exceptions import BadRequest, Forbidden, NotFound
|
from werkzeug.exceptions import BadRequest, Forbidden, NotFound
|
||||||
|
from werkzeug.useragents import UserAgent
|
||||||
|
|
||||||
from isso.compat import text_type as str
|
from isso.compat import text_type as str
|
||||||
|
|
||||||
@ -44,6 +45,9 @@ def csrf(view):
|
|||||||
|
|
||||||
def dec(self, environ, request, *args, **kwargs):
|
def dec(self, environ, request, *args, **kwargs):
|
||||||
|
|
||||||
|
if UserAgent(environ).browser == "msie": # yup
|
||||||
|
origin = request.headers.get("Referer", "")
|
||||||
|
else:
|
||||||
origin = request.headers.get("Origin", "")
|
origin = request.headers.get("Origin", "")
|
||||||
if parse.host(origin) not in map(parse.host, self.conf.getiter("host")):
|
if parse.host(origin) not in map(parse.host, self.conf.getiter("host")):
|
||||||
raise Forbidden("CSRF")
|
raise Forbidden("CSRF")
|
||||||
|
Loading…
Reference in New Issue
Block a user