Added a custom csrf failure view

src/pretix/base/templates/csrffail.html

@@ -0,0 +1,24 @@
+{% extends "error.html" %}
+{% load i18n %}
+{% block title %}{% trans "Verification failed" %}{% endblock %}
+{% block content %}
+    <i class="fa fa-frown-o big-icon"></i>
+    <h1>{% trans "Verification failed" %}</h1>
+    <p>{% blocktrans trimmed %}
+        We could not verify that this request really was sent from you. For security reasons, we therefore cannot process it.
+    {% endblocktrans %}</p>
+    {% if no_referer %}
+        <p>{{ no_referer1 }}</p>
+        <p>{{ no_referer2 }}</p>
+    {% elif no_cookie %}
+        <p>{{ no_cookie1 }}</p>
+        <p>{{ no_cookie2 }}</p>
+    {% else %}
+        <p>{% blocktrans trimmed %}
+            Please go back to the last page, refresh this page and then try again. If the problem persists, please get in touch with us.
+        {% endblocktrans %}</p>
+    {% endif %}
+    <p>
+        <a href="javascript:history.back()">{% trans "Take a step back" %}</a>
+    </p>
+{% endblock %}

src/pretix/base/views/errors.py

@@ -0,0 +1,33 @@
+from django.http import HttpResponseForbidden
+from django.middleware.csrf import REASON_NO_CSRF_COOKIE, REASON_NO_REFERER
+from django.template import Context
+from django.template.loader import get_template
+from django.utils.translation import ugettext as _
+
+
+def csrf_failure(request, reason=""):
+    t = get_template('csrffail.html')
+    c = Context({
+        'reason': reason,
+        'no_referer': reason == REASON_NO_REFERER,
+        'no_referer1': _(
+            "You are seeing this message because this HTTPS site requires a "
+            "'Referer header' to be sent by your Web browser, but none was "
+            "sent. This header is required for security reasons, to ensure "
+            "that your browser is not being hijacked by third parties."),
+        'no_referer2': _(
+            "If you have configured your browser to disable 'Referer' headers, "
+            "please re-enable them, at least for this site, or for HTTPS "
+            "connections, or for 'same-origin' requests."),
+        'no_cookie': reason == REASON_NO_CSRF_COOKIE,
+        'no_cookie1': _(
+            "You are seeing this message because this site requires a CSRF "
+            "cookie when submitting forms. This cookie is required for "
+            "security reasons, to ensure that your browser is not being "
+            "hijacked by third parties."),
+        'no_cookie2': _(
+            "If you have configured your browser to disable cookies, please "
+            "re-enable them, at least for this site, or for 'same-origin' "
+            "requests."),
+    })
+    return HttpResponseForbidden(t.render(c), content_type='text/html')

src/pretix/settings.py

@@ -201,6 +201,7 @@ django.conf.locale.LANG_INFO.update(EXTRA_LANG_INFO)
 AUTH_USER_MODEL = 'pretixbase.User'
 LOGIN_URL = '/login'  # global login does not yet exist
 LOGIN_URL_CONTROL = 'control:auth.login'
+CSRF_FAILURE_VIEW = 'pretix.base.views.errors.csrf_failure'
 
 template_loaders = (
     'django.template.loaders.filesystem.Loader',