Seems fairly clear that this is a Django issue, not a Bitbucket issue. Maybe change this link to point to the equivalent Django bug: <a href="https://code.djangoproject.com/ticket/16870" rel="nofollow">https://code.djangoproject.com/ticket/16870</a>.
Does anyone know of a good alternative to the atlassian suite? Given their price structure and popularity, I'd expect them to fix stuff like this in a timely fashion, and fix some basic UI issues.<p>Bitbucket server (aka "stash") examples:<p>- Create a pull request (the most common workflow in bitbucket) takes far too many page loads, and is buried in "hamburger"/"more options"<p>- For teams with per-developer repos, it does not remember which repos the currently logged in user frequently uses, so you scroll through everone on the team's name for most operations. (And the new version "improved" this in some places with a JavaScript-heavy list that renders like molasses on no-gpu xeon vms).<p>- Each product (bitbucket, jira, confluence) uses a different markup language.<p>And so on. I could complain about other workflows or other products, but this is pretty typical for their stuff.
Relying on the referrer header for CSRF protection is dubious at best. Just use a token like everybody else, protect against session fixation, call it a day.
I really don't think this is a big deal. I run a medium size website with well over 2000 uniques users per day and also require the referer header to use the website. So far, I've yet to receive a single complaint or find a browser that doesn't send it.<p>It might be optional as per the spec, but it's completely ubiquitous at this point, and provides an easy way to add an extra layer of safety for web developers.
Well, you should not post from HTTP to HTTPS anyway.<p>I highly doubt there is any good reason to do it anywhere, and on the one case you think you got a good reason (I still doubt it), don't try to anonymize the hell out of a logged-on request.