1. Bitbucket
  2. Public Issue Tracker
  3. master
  4. Issues


Issue #3360 wontfix

I have a bone to pick with you about CSRF.

Anonymous created an issue

This if feedback regarding your signup process and your issues process, pretty much every sensitive form you have...

Checking referrer fields is not CSRF mitigation, In fact I am surprised you haven't had more complaints about it.

Also your error page is big and ugly, and discloses details on how to ex-filtrate more information from your system, indicating the use of "DEBUG=True".

I had to switch from FF 8.0 because I couldn't submit any forms on my main browser...

Comments (3)

  1. Brodie Rao

    We're using Django's built-in CSRF protection system. In their docs they mention the motivation for checking HTTP referrers:

    In addition, for HTTPS requests, strict referer checking is done by CsrfViewMiddleware. This is necessary to address a Man-In-The-Middle attack that is possible under HTTPS when using a session independent nonce, due to the fact that HTTP 'Set-Cookie' headers are (unfortunately) accepted by clients that are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header is not reliable enough under HTTP.)

    If you can provide a compelling reason not to use that (while still addressing that issue), I can take a look at implementing it.

    As for the debug page, that definitely shouldn't show up. I'll take a look at fixing that.

    Also, what browser were you using that had problems with the CSRF protection system? Did you intentionally disable sending referrers?

  2. erakis

    Not everybody wants to send a "referer" field giving away private information when surfing on the web. And going to about:config everytime you want to use bitbucket and then again when you're done is just not practical. I will not use bitbucket for my projects because of this issue.

  3. Log in to comment