Comment 6 for bug 978896

The Django security team is reviewing this issue. The same reporter sent us a similar report this morning via the <email address hidden> alias.

We've dealt with several similar issues in the past. I haven't had a chance to personally verify this bug. If it is valid, it's a Django issue, and not something that should be fixed in Horizon.

The CSRF token portion of this report is irrelevant, given how Django's CSRF tokens work.

The impact is relatively limited for most real-world deployments - generally restricted to any of the following:
 - there are existing XSS/CSRF bugs in the Django app
 - there are login-CSRF bugs (XSS or CSRF on related subdomains is the most common case)
 - an attacker can otherwise read/set arbitrary cookies on your browser prior to logging into the site (wifi mitm, physical access)