We have a web extension using Chrome Manifest V3 <https://developer.chrome.com/docs/extensions/mv3/intro/>, which talks with a backend web service written with Django (3.2) / Django Rest Framework, and served with Gunicorn/Nginx.
After turning on HTTPS, we are no longer to successfully make unsafe (e.g. POST) requests to the Django app. The reason things has broken is clear to us, but it seems unclear how they can be fixed without turning off csrf protection everywhere. *> csrf failed: referer checking failed: no referer * As explained in the Django docs, in this scenario, Django requires that the client send both a csrf token and a Referer header. <https://docs.djangoproject.com/en/3.2/ref/csrf/#how-it-works> Our extension can easily grab the csrf token, but it seems impossible to actually send a Referer header, which instead seems to be stripped out by the browser. Chrome MV3 has switched to `chrome.declarativenetrequest`, which currently does not allow a modify or set on request headers (only response). This appears to be a known "bug" or a point of contention, though depends who you ask. The Django app requires SessionAuthentication. It uses SECURE_REFERRER_POLICY = "no-referrer-when-downgrade". Nginx sends X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto to the Django app. All of this leaves us seemingly SOL. What makes things more tricky is that the chrome extension URL is effectively random, e.g. chrome-extension://asdfasdfadsf, and this doesn't seem to work with CSRF_TRUSTED_ORIGINS anyway. Are we missing anything here, or are we left to just blanket-csrf_exempt everything? -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/560b42d9-ec18-4912-ad14-cfab998d8722n%40googlegroups.com.
