jasco
commented
7 years ago It appears that the referrer checking does allow for the domain specified in the origin header. https://github.com/maxcountryman/flask-seasurf/blob/master/flask_seasurf.py#L260
Note, I have not used the package yet. I am just passing through to see if it meets my needs.
maxcountryman
If I have specified 3rd party origins (cors) access to particular views, wouldn't the referrer checking (in https) always return a 403 because the origins would never match? In short, I would have to disable csrf protection for those views