From 6dd21309e4d9b21162b8db3e015533be10db0601 Mon Sep 17 00:00:00 2001
From: Theron Luhn <theron@luhn.com>
Date: Thu, 19 Sep 2019 18:32:41 -0700
Subject: Add allow_no_origin option to CSRF.

---
 src/pyramid/config/security.py | 19 +++++++++++++++++--
 src/pyramid/csrf.py            | 12 +++++++++---
 src/pyramid/interfaces.py      |  4 ++++
 src/pyramid/viewderivers.py    |  6 +++++-
 4 files changed, 35 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/pyramid/config/security.py b/src/pyramid/config/security.py
index 08e7cb81a..0d2bc8e99 100644
--- a/src/pyramid/config/security.py
+++ b/src/pyramid/config/security.py
@@ -197,6 +197,7 @@ class SecurityConfiguratorMixin(object):
         token='csrf_token',
         header='X-CSRF-Token',
         safe_methods=('GET', 'HEAD', 'OPTIONS', 'TRACE'),
+        allow_no_origin=False,
         callback=None,
     ):
         """
@@ -238,7 +239,12 @@ class SecurityConfiguratorMixin(object):
 
         """
         options = DefaultCSRFOptions(
-            require_csrf, token, header, safe_methods, callback
+            require_csrf=require_csrf,
+            token=token,
+            header=header,
+            safe_methods=safe_methods,
+            allow_no_origin=allow_no_origin,
+            callback=callback,
         )
 
         def register():
@@ -287,9 +293,18 @@ class SecurityConfiguratorMixin(object):
 
 @implementer(IDefaultCSRFOptions)
 class DefaultCSRFOptions(object):
-    def __init__(self, require_csrf, token, header, safe_methods, callback):
+    def __init__(
+        self,
+        require_csrf,
+        token,
+        header,
+        safe_methods,
+        allow_no_origin,
+        callback,
+    ):
         self.require_csrf = require_csrf
         self.token = token
         self.header = header
         self.safe_methods = frozenset(safe_methods)
+        self.allow_no_origin = allow_no_origin
         self.callback = callback
diff --git a/src/pyramid/csrf.py b/src/pyramid/csrf.py
index deb35fedb..b352ada71 100644
--- a/src/pyramid/csrf.py
+++ b/src/pyramid/csrf.py
@@ -247,7 +247,9 @@ def check_csrf_token(
     return True
 
 
-def check_csrf_origin(request, trusted_origins=None, raises=True):
+def check_csrf_origin(
+    request, trusted_origins=None, allow_no_origin=False, raises=True
+):
     """
     Check the ``Origin`` of the request to see if it is a cross site request or
     not.
@@ -302,9 +304,13 @@ def check_csrf_origin(request, trusted_origins=None, raises=True):
         if origin is None:
             origin = request.referrer
 
-        # Fail if we were not able to locate an origin at all
+        # If we can't find an origin, fail or pass immediately depending on
+        # ``allow_no_origin``
         if not origin:
-            return _fail("Origin checking failed - no Origin or Referer.")
+            if allow_no_origin:
+                return True
+            else:
+                return _fail("Origin checking failed - no Origin or Referer.")
 
         # Parse our origin so we we can extract the required information from
         # it.
diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py
index 638c1a9fd..15ae3faaa 100644
--- a/src/pyramid/interfaces.py
+++ b/src/pyramid/interfaces.py
@@ -1055,6 +1055,10 @@ class IDefaultCSRFOptions(Interface):
     header = Attribute('The header to be matched with the CSRF token.')
     safe_methods = Attribute('A set of safe methods that skip CSRF checks.')
     callback = Attribute('A callback to disable CSRF checks per-request.')
+    allow_no_origin = Attribute(
+        'Boolean.  If false, a request lacking both an ``Origin`` and '
+        '``Referer`` header will fail the CSRF check.'
+    )
 
 
 class ISessionFactory(Interface):
diff --git a/src/pyramid/viewderivers.py b/src/pyramid/viewderivers.py
index 181cc9e5c..c41a57d7e 100644
--- a/src/pyramid/viewderivers.py
+++ b/src/pyramid/viewderivers.py
@@ -488,12 +488,14 @@ def csrf_view(view, info):
         token = 'csrf_token'
         header = 'X-CSRF-Token'
         safe_methods = frozenset(["GET", "HEAD", "OPTIONS", "TRACE"])
+        allow_no_origin = False
         callback = None
     else:
         default_val = defaults.require_csrf
         token = defaults.token
         header = defaults.header
         safe_methods = defaults.safe_methods
+        allow_no_origin = defaults.allow_no_origin
         callback = defaults.callback
 
     enabled = (
@@ -512,7 +514,9 @@ def csrf_view(view, info):
             if request.method not in safe_methods and (
                 callback is None or callback(request)
             ):
-                check_csrf_origin(request, raises=True)
+                check_csrf_origin(
+                    request, raises=True, allow_no_origin=allow_no_origin
+                )
                 check_csrf_token(request, token, header, raises=True)
             return view(context, request)
 
-- 
cgit v1.2.3


From 9ffed1017d5e416813df73e4e76b6bfd1d2da2c8 Mon Sep 17 00:00:00 2001
From: Theron Luhn <theron@luhn.com>
Date: Thu, 19 Sep 2019 20:30:08 -0700
Subject: Document CSRF allow_no_origin option.

---
 src/pyramid/config/security.py | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src')

diff --git a/src/pyramid/config/security.py b/src/pyramid/config/security.py
index 0d2bc8e99..02271e2ba 100644
--- a/src/pyramid/config/security.py
+++ b/src/pyramid/config/security.py
@@ -222,6 +222,9 @@ class SecurityConfiguratorMixin(object):
         never be automatically checked for CSRF tokens.
         Default: ``('GET', 'HEAD', 'OPTIONS', TRACE')``.
 
+        ``allow_no_origin`` is a boolean.  If false, a request lacking both an
+        ``Origin`` and ``Referer`` header will fail the CSRF check.'
+
         If ``callback`` is set, it must be a callable accepting ``(request)``
         and returning ``True`` if the request should be checked for a valid
         CSRF token. This callback allows an application to support
@@ -237,6 +240,9 @@ class SecurityConfiguratorMixin(object):
         .. versionchanged:: 1.8
            Added the ``callback`` option.
 
+        .. versionchanged:: 2.0
+           Added the ``allow_no_origin`` option.
+
         """
         options = DefaultCSRFOptions(
             require_csrf=require_csrf,
-- 
cgit v1.2.3


From 904314e683cc488871ba8f163ff47a5c3be86db4 Mon Sep 17 00:00:00 2001
From: Theron Luhn <theron@luhn.com>
Date: Mon, 23 Sep 2019 11:02:56 -0700
Subject: Doc fixes from @Deimos

---
 src/pyramid/config/security.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/pyramid/config/security.py b/src/pyramid/config/security.py
index 02271e2ba..17ac5ded7 100644
--- a/src/pyramid/config/security.py
+++ b/src/pyramid/config/security.py
@@ -223,7 +223,7 @@ class SecurityConfiguratorMixin(object):
         Default: ``('GET', 'HEAD', 'OPTIONS', TRACE')``.
 
         ``allow_no_origin`` is a boolean.  If false, a request lacking both an
-        ``Origin`` and ``Referer`` header will fail the CSRF check.'
+        ``Origin`` and ``Referer`` header will fail the CSRF check.
 
         If ``callback`` is set, it must be a callable accepting ``(request)``
         and returning ``True`` if the request should be checked for a valid
-- 
cgit v1.2.3