Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[CSRF] Allow subdomains to match origin/referer headers #60707

New issue
New issue
Open
Open
[CSRF] Allow subdomains to match origin/referer headers#60707
Labels
Security
@Bilge

Description

@Bilge
Bilge
opened on Jun 5, 2025

Description

The current logic of SameOriginCsrfTokenManager is that the hostname must be an exact match and this not configurable. Perhaps a whitelist of allowed domains, or just an option to allow subdomain matches of the same TLD would be useful.

Example

Requests from https://foo.steam250.com should also be allowed to https://bar.foo.steam250.com.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions