Add allow_no_origin option to CSRF.

author: Theron Luhn <theron@luhn.com> 2019-09-19 18:32:41 -0700
committer: Theron Luhn <theron@luhn.com> 2019-09-19 18:32:41 -0700
commit: 6dd21309e4d9b21162b8db3e015533be10db0601 (patch)
tree: b032a3aeeeed79fcb6ad1b273bc214147dd0884c /src
parent: 3af1883bcd617d74eb8c9b134b5ac830f8cdd2a9 (diff)
download: pyramid-6dd21309e4d9b21162b8db3e015533be10db0601.tar.gz
pyramid-6dd21309e4d9b21162b8db3e015533be10db0601.tar.bz2
pyramid-6dd21309e4d9b21162b8db3e015533be10db0601.zip
4 files changed, 35 insertions, 6 deletions
diff --git a/src/pyramid/config/security.py b/src/pyramid/config/security.py
index 08e7cb81a..0d2bc8e99 100644
--- a/src/pyramid/config/security.py
+++ b/src/pyramid/config/security.py
@@ -197,6 +197,7 @@ class SecurityConfiguratorMixin(object):
         token='csrf_token',
         header='X-CSRF-Token',
         safe_methods=('GET', 'HEAD', 'OPTIONS', 'TRACE'),
+        allow_no_origin=False,
         callback=None,
     ):
         """
@@ -238,7 +239,12 @@ class SecurityConfiguratorMixin(object):
 
         """
         options = DefaultCSRFOptions(
-            require_csrf, token, header, safe_methods, callback
+            require_csrf=require_csrf,
+            token=token,
+            header=header,
+            safe_methods=safe_methods,
+            allow_no_origin=allow_no_origin,
+            callback=callback,
         )
 
         def register():
@@ -287,9 +293,18 @@ class SecurityConfiguratorMixin(object):
 
 @implementer(IDefaultCSRFOptions)
 class DefaultCSRFOptions(object):
-    def __init__(self, require_csrf, token, header, safe_methods, callback):
+    def __init__(
+        self,
+        require_csrf,
+        token,
+        header,
+        safe_methods,
+        allow_no_origin,
+        callback,
+    ):
         self.require_csrf = require_csrf
         self.token = token
         self.header = header
         self.safe_methods = frozenset(safe_methods)
+        self.allow_no_origin = allow_no_origin
         self.callback = callback
diff --git a/src/pyramid/csrf.py b/src/pyramid/csrf.py
index deb35fedb..b352ada71 100644
--- a/src/pyramid/csrf.py
+++ b/src/pyramid/csrf.py
@@ -247,7 +247,9 @@ def check_csrf_token(
     return True
 
 
-def check_csrf_origin(request, trusted_origins=None, raises=True):
+def check_csrf_origin(
+    request, trusted_origins=None, allow_no_origin=False, raises=True
+):
     """
     Check the ``Origin`` of the request to see if it is a cross site request or
     not.
@@ -302,9 +304,13 @@ def check_csrf_origin(request, trusted_origins=None, raises=True):
         if origin is None:
             origin = request.referrer
 
-        # Fail if we were not able to locate an origin at all
+        # If we can't find an origin, fail or pass immediately depending on
+        # ``allow_no_origin``
         if not origin:
-            return _fail("Origin checking failed - no Origin or Referer.")
+            if allow_no_origin:
+                return True
+            else:
+                return _fail("Origin checking failed - no Origin or Referer.")
 
         # Parse our origin so we we can extract the required information from
         # it.
diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py
index 638c1a9fd..15ae3faaa 100644
--- a/src/pyramid/interfaces.py
+++ b/src/pyramid/interfaces.py
@@ -1055,6 +1055,10 @@ class IDefaultCSRFOptions(Interface):
     header = Attribute('The header to be matched with the CSRF token.')
     safe_methods = Attribute('A set of safe methods that skip CSRF checks.')
     callback = Attribute('A callback to disable CSRF checks per-request.')
+    allow_no_origin = Attribute(
+        'Boolean.  If false, a request lacking both an ``Origin`` and '
+        '``Referer`` header will fail the CSRF check.'
+    )
 
 
 class ISessionFactory(Interface):
diff --git a/src/pyramid/viewderivers.py b/src/pyramid/viewderivers.py
index 181cc9e5c..c41a57d7e 100644
--- a/src/pyramid/viewderivers.py
+++ b/src/pyramid/viewderivers.py
@@ -488,12 +488,14 @@ def csrf_view(view, info):
         token = 'csrf_token'
         header = 'X-CSRF-Token'
         safe_methods = frozenset(["GET", "HEAD", "OPTIONS", "TRACE"])
+        allow_no_origin = False
         callback = None
     else:
         default_val = defaults.require_csrf
         token = defaults.token
         header = defaults.header
         safe_methods = defaults.safe_methods
+        allow_no_origin = defaults.allow_no_origin
         callback = defaults.callback
 
     enabled = (
@@ -512,7 +514,9 @@ def csrf_view(view, info):
             if request.method not in safe_methods and (
                 callback is None or callback(request)
             ):
-                check_csrf_origin(request, raises=True)
+                check_csrf_origin(
+                    request, raises=True, allow_no_origin=allow_no_origin
+                )
                 check_csrf_token(request, token, header, raises=True)
             return view(context, request)
author	Theron Luhn <theron@luhn.com>	2019-09-19 18:32:41 -0700
committer	Theron Luhn <theron@luhn.com>	2019-09-19 18:32:41 -0700
commit	6dd21309e4d9b21162b8db3e015533be10db0601 (patch)
tree	b032a3aeeeed79fcb6ad1b273bc214147dd0884c /src
parent	3af1883bcd617d74eb8c9b134b5ac830f8cdd2a9 (diff)
download	pyramid-6dd21309e4d9b21162b8db3e015533be10db0601.tar.gz pyramid-6dd21309e4d9b21162b8db3e015533be10db0601.tar.bz2 pyramid-6dd21309e4d9b21162b8db3e015533be10db0601.zip