> Seeing as e.g. Google services work fine without REFERER header, why can't Launchpad?
Exactly. Launchpad is pretty much the only website that I know and use that uses the referer (in a blocking way). Google, domain registrars, server hosters, all web stores, they all manage without referer and without getting hacked.
> In terms of a high level spec - prevent CSRF, don't break existing scripts.
Good. The referer check is not the only CSRF check you have in place, there are other stopgaps. For my point of view, we don't need the referer check, and others here have already stated that they consider the referer check unnecessary for CSRF prevention, possibly even dangerous. So, the patch from #32 achieves. If the patch is not acceptable, I'm afraid you'll need to be more detailed than that, about what *exactly* you're afraid about and why.
Given that you're not a django site (but luckily still a Python site), I've posted the django link not as patch, but as an example of CSRF prevention without referer.
FWIW, there is a little bit of progress here: The error message no longer comes as separate page, but as a dialog. This means that I no longer lose my comment when I forget to (or don't know to) enable referer and post. (However, the error message is now buggy: it shows a full HTML source as error message. Still, an improvement.) Losing my comment drove me mad.
> Seeing as e.g. Google services work fine without REFERER header, why can't Launchpad?
Exactly. Launchpad is pretty much the only website that I know and use that uses the referer (in a blocking way). Google, domain registrars, server hosters, all web stores, they all manage without referer and without getting hacked.
> In terms of a high level spec - prevent CSRF, don't break existing scripts.
Good. The referer check is not the only CSRF check you have in place, there are other stopgaps. For my point of view, we don't need the referer check, and others here have already stated that they consider the referer check unnecessary for CSRF prevention, possibly even dangerous. So, the patch from #32 achieves. If the patch is not acceptable, I'm afraid you'll need to be more detailed than that, about what *exactly* you're afraid about and why.
Given that you're not a django site (but luckily still a Python site), I've posted the django link not as patch, but as an example of CSRF prevention without referer.
FWIW, there is a little bit of progress here: The error message no longer comes as separate page, but as a dialog. This means that I no longer lose my comment when I forget to (or don't know to) enable referer and post. (However, the error message is now buggy: it shows a full HTML source as error message. Still, an improvement.) Losing my comment drove me mad.