CSRF Error for Custom Event Domains

[fthorns]

Problem and impact

When using a custom event domain with the self hosted version of Pretix, adding a product to the cart leads to a CSRF error:

WARNING 2024-05-05 20:21:19,519 django.security.csrf log Forbidden (Origin checking failed - https://event1.example.com does not match any trusted origins.): /cart/add

The default settings.py file restricts CSRF origins only to the main address of the Pretix instance:

CSRF_TRUSTED_ORIGINS = [urlparse(SITE_URL).scheme + '://' + urlparse(SITE_URL).hostname]

Adding the event page to the settings solves this problem:

CSRF_TRUSTED_ORIGINS = [ "https://pretix.example.com", "https://event1.example.com" ]

If would be great to adjust the definition of CSRF_TRUSTED_ORIGINS to include all configured custom domains for both organizers as well as events or provide an option in the Pretix configuration to specify all trusted CSRF origins.

Expected behaviour

Custom domains would automatically be considered trusted CSRF origins, or there would be a documented option to manually configure all trusted CSRF origins in the Pretix configuration file.

Steps to reproduce

1. Configure a new hostname in DNS and as an alias in the reverse proxy in front of Pretix (e.g. event1.example.com)
2. Create a new event add configure event1.example.com as Custom Domain, along with all other required configuration
3. Open the shop on the Custom Domain (works) and try to add a ticket to the cart

Screenshots

No response

Link

No response

Browser (software, desktop or mobile?) and version

No response

Operating system, dependency versions

No response

Version

Docker image pretix/standalone:2024.4.0

[raphaelm]

I am 99% sure this does not occur with the documented example proxy configuration, sounds like some header missing although I don't immediately know which one

[fthorns]

Make it 100%, for whatever reason the X-Forwarded-Proto header didn't make it through, now that this header is there everything works great. Thousand thanks for the hint!