CSRF verification failed. Request aborted.

Issue #10255 wontfix
Bersam Karbasion
created an issue

I'm aware of other issues and know this is solved by sending referer header, I disabled this myself because i didn't want to website tracks my last location. But I'm consider now what's related between CSRF verification and my last location?

ps. I thought it might be needed for OpenID verification, but I don't use it. I use the old way, simple username and password.

Comments (1)

  1. Erik van Zijst staff

    Bitbucket runs Django and we use Django's built-in CSRF protection. It is this protection that requires the use of referer headers in some cases.

    As per Django's documentation:

    for HTTPS requests, strict referer checking is done by CsrfViewMiddleware. This is necessary to address a Man-In-The-Middle attack that is possible under HTTPS when using a session independent nonce, due to the fact that HTTP ‘Set-Cookie’ headers are (unfortunately) accepted by clients that are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header is not reliable enough under HTTP.)

  2. Log in to comment