On 2019-02-19 00:39, John Rouillard wrote:
> I assume this has fixed your issue with wsgi and the CSRF code is now
> working ok?

Yes it did.

> Where should this patch be applied? If I understand you correctly
> this breaks CSRF behind a proxy (as X-FORWARDED-HOST is not mapped
> correctly). It also breaks xmlrpc (but not REST yet) when
> the X-REQUESTED-WITH header is required.

I got issue only with xmlrpc API for now. But no issue with CSRF because
my configuration is 'yes' and not 'required'.

> It certainly needs to be applied to the tip, but maybe we also need
> to create a branch from 1.6.0 and somebody can release a 1.6.1?
> 
> So what do you think?

Yes it will be great to have a bugfix release.
Otherwise as the roundup package manager for Gentoo, I will have to
apply this patch on the 1.6.0 ebuild.