Django - How to do CSFR on public pages? Or, better yet, how should it be used period?

Posted by orokusaki on Stack Overflow See other posts from Stack Overflow or by orokusaki
Published on 2010-03-12T01:10:10Z Indexed on 2010/03/12 1:17 UTC
Read the original article Hit count: 547

Filed under:
|
|

After reading this: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-to-use-it

I came to the conclusion that it is not valid to use this except for when you trust the person who is using the page which enlists it. Is this correct?

I guess I don't really understand when it's safe to use this because of this statement:

This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability.

The reason it's confusing is that to me an "external URL" would be on that isn't part of my domain (ie, I own www.example.com and put a form that posts to www.spamfoo.com. This obviously can't be the case since people wouldn't use Django for generating forms that post to other people's websites, but how could it be true that you can't use CSRF protection on public forms (like a login form)?

© Stack Overflow or respective owner

Related posts about csrf

Related posts about django-csrf