Closed fthorns closed 1 week ago
I am 99% sure this does not occur with the documented example proxy configuration, sounds like some header missing although I don't immediately know which one
Make it 100%, for whatever reason the X-Forwarded-Proto header didn't make it through, now that this header is there everything works great. Thousand thanks for the hint!
Problem and impact
When using a custom event domain with the self hosted version of Pretix, adding a product to the cart leads to a CSRF error:
The default
settings.py
file restricts CSRF origins only to the main address of the Pretix instance:Adding the event page to the settings solves this problem:
If would be great to adjust the definition of
CSRF_TRUSTED_ORIGINS
to include all configured custom domains for both organizers as well as events or provide an option in the Pretix configuration to specify all trusted CSRF origins.Expected behaviour
Custom domains would automatically be considered trusted CSRF origins, or there would be a documented option to manually configure all trusted CSRF origins in the Pretix configuration file.
Steps to reproduce
Screenshots
No response
Link
No response
Browser (software, desktop or mobile?) and version
No response
Operating system, dependency versions
No response
Version
Docker image pretix/standalone:2024.4.0