The Problem:
In Django 1.9, CSRF_TRUSTED_ORIGINS was added to the available settings which allows to, for example, access the application from all the subdomains:
CSRF_TRUSTED_ORIGINS = ["*.example.com"]
Which is exactly what we need.
The problem is, we've got a legacy system with Django 1.6 (don't ask, it is sad). Cannot upgrade.
And, in Django 1.6 the origin check is built/hardcoded into the csrf middleware.
The Question: What is the best way to approach the problem? Custom csrf middleware instead of the built-in?
Would appreciate any pointers.
Fixed, basically, by backporting the csrf middleware from Django 1.9 manually to be compatible with Django 1.6. Not pretty, but works at the moment.