Bitbucket server (aka "stash") examples:
- Create a pull request (the most common workflow in bitbucket) takes far too many page loads, and is buried in "hamburger"/"more options"
- For teams with per-developer repos, it does not remember which repos the currently logged in user frequently uses, so you scroll through everone on the team's name for most operations. (And the new version "improved" this in some places with a JavaScript-heavy list that renders like molasses on no-gpu xeon vms).
- Each product (bitbucket, jira, confluence) uses a different markup language.
And so on. I could complain about other workflows or other products, but this is pretty typical for their stuff.
As a user I simply don't care what platform they use.
It might be optional as per the spec, but it's completely ubiquitous at this point, and provides an easy way to add an extra layer of safety for web developers.
Let's not spread FUD :)
- availability
- integrity
- confidentiality
It breaks availability and confidentiality to protect against an attack that is already prevented by https.
This is like installing an open ip cam and welding my padlock shut, then claiming you've improved my storage unit.
there's no decrease in availability by an attacker (there's only a self inflicted denial by the user)
there's also no decrease in confidentiality for the service itself (and if the user uses an appropriate extension[0], or the browsers implement an appropriate whitelist mechanism, there's no confidentiality decrease for the user in general either)
This is simply defense in depth
If you leaked the SECRET_KEY/misconfigured the CSRF creation (which should be impossible, but it's the whole point of adding layers) AND the victim is being MITM AND you don't implement HSTS AND You correctly set cookies as Secure
You would have a potential vulnerability, exploitable (only?) via CSRF, which this check prevents
[0] like https://addons.mozilla.org/en-US/firefox/addon/smart-referer... but I'm not advocating for the use of this extension
Then, make sure each page view overwrites / clears any side-effecting session state.
Put another way, why should unexpected cookies change the side effects of post requests?
Anyway, if the browser is connecting via port 80, the MITM can just use a transparent http->https proxy to rewrite the referrer, and forward the request to the https server, so you've already lost.
The requirement is there to close off edge cases where an attacker mess with an initial non-HTTPS request in order to set up compromise of CSRF for future HTTPS requests. HSTS by itself can't solve that. If and when browser support for the Origin header gets more widespread, it'll be possible to secure this without checking Referer. But for now, that's not an option.
I highly doubt there is any good reason to do it anywhere, and on the one case you think you got a good reason (I still doubt it), don't try to anonymize the hell out of a logged-on request.
Should be easy to mitigate this by using server-side CSRF state, or signing the tokens.
I think perhaps some way of saying "I use sessions, and therefore CSRF should rely on that" could be reasonable, but with security stuff like this I'm really hesitant to say that more definitively.
But upon looking at the code, it seems that the SECRET_KEY is only used to reseed the PRNG O_o
https://github.com/django/django/blob/stable/1.10.x/django/u...
https://security.stackexchange.com/questions/96114/why-is-re...
I don't think that the solution can be as simple as:
> you should not post from HTTP to HTTPS anyway.
because if the attacker is MITM'ing your user, he can supply the user a HTTP page that you never created (unless you have HSTS enabled)
The obvious inquire: "why doesn't the attacker simply steals the login cookie?", can probably be simply explained if your service is setting the Secure flag in the Set-Cookie header (as it should)... this way, even if the victim is logged in, the attacker wouldn't be able to steal the cookie
