Django CSRF explicitly doesn't trust HTTP when submitting to HTTPS

I managed to introduce a wonderful little bug in the Django blog site here. I wanted all contributors (those making comments and myself) to use HTTPS, but I didn't want to rewrite the templates for the Zinnia blog entries, so I just naively redirected the comments form to the HTTPS site. CSRF protection in Django explicitly does not allow HTTP-to-HTTPS posts (which is a good thing, in general, as it prevents someone rewriting the post on the fly). Oops. For now I've made the comments form post to the same protocol you're using to browse. It's already produced a significant up-tick in the number of spam comments, but at least real comments might get through once in a while.


Comments are closed.


Pingbacks are closed.