Currently, I'm working on Django1.11 project, I deployed my app using nginx with scheme 'https'. I want to submit form but don't want to resubmit same so i used POST/REDIRECT/GET pattern. Everything is working fine and as expected on Mozilla and chrome, i.e. for POST/REDIRECT/GET call will render the corresponding webpage, On reload & resubmit the same form will render 403 access denied as expected. The problem only occurs when I'm testing the same view in Microsoft EDGE browser. On calling POST/REDITECT/GET method, it directly throws me 403. The reason of 403 is 'REASON_NO_REFERER'. Microsoft Edge forwarding empty HTTP-referer while using POST/REDIRECT/GET pattern.
Add <meta name="referrer" content="origin-when-cross-origin" />
in <head>
of HTML template and now it's working fine for Edge also. But still, don't know what is wrong with Edge if I don't add this meta tag in the header. Also, Does it cause any security vulnerabilities?
Django explained why referer checking is a must.
Suppose a user visits http://example.com/
# An active network attacker (man-in-the-middle, MITM) sends a
# POST form that targets https://example.com/detonate-bomb/ and
# submits it via JavaScript.
#
# The attacker will need to provide a CSRF cookie and token, but
# that's no problem for a MITM and the session-independent
# secret we're using. So the MITM can circumvent the CSRF
# protection. This is true for any HTTP connection, but anyone
# using HTTPS expects better! For this reason, for
# https://example.com/ we need additional protection that treats
# http://example.com/ as completely untrusted. Under HTTPS,
# Barth et al. found that the Referer header is missing for
# same-domain requests in only about 0.2% of cases or less, so we can use strict Referer checking.
so, in that case, does it means adding meta in HTML is compulsory to feed xyz-origin in HTTP-referer? If yes, Does it cause any security vulnerabilities for Man-In-The-Middle attack as attacker may have http-referer also?
I'm poor in networking concept so please correct me if something is missing or wrong from my side.
The meta referrer tag works with most browsers to pass referrer information in a manner defined by the user. Traffic remains encrypted and all the benefits of using HTTPS remain in place, but now you can pass referrer data to all websites, even those that use HTTP.
Origin When Cross-Origin: Sends the full URL as the referrer when the target has the same scheme, host, and port (i.e. subdomain) regardless if it's HTTP or HTTPS, while sending origin-only referral information to external sites.
So based on that, I think you will not have any security related issues.
References:
(1) The Meta Referrer Tag: An Advancement for SEO and the Internet
(2) SEO for HTTPS Sites: Should You Implement the Meta Referrer Tag?
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments