mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-04 05:35:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Added clarifying note to docs for CSRF_COOKIE_DOMAIN

Browse source 
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16197 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2011-05-09 22:59:52 +00:00
parent 8122ce7c76
commit bf7af2be15
2 changed files with 8 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/ref/contrib/csrf.txt
View file

@ -280,6 +280,8 @@ CSRF checks::
>>> from django.test import Client >>> from django.test import Client
>>> csrf_client = Client(enforce_csrf_checks=True) >>> csrf_client = Client(enforce_csrf_checks=True)
.. _csrf-limitations:
Limitations Limitations
=========== ===========

8
docs/ref/settings.txt
View file

@ -319,11 +319,15 @@ CSRF_COOKIE_DOMAIN
Default: ``None`` Default: ``None``
The domain to be used when setting the CSRF cookie. This can be useful for The domain to be used when setting the CSRF cookie. This can be useful for
allowing cross-subdomain requests to be exluded from the normal cross site easily allowing cross-subdomain requests to be exluded from the normal cross
request forgery protection. It should be set to a string such as site request forgery protection. It should be set to a string such as
``".lawrence.com"`` to allow a POST request from a form on one subdomain to be ``".lawrence.com"`` to allow a POST request from a form on one subdomain to be
accepted by accepted by a view served from another subdomain. accepted by accepted by a view served from another subdomain.
Please note that the presence of this setting does not imply that Django's CSRF
protection is safe from cross-subdomain attacks by default - please see the
:ref:`CSRF limitations <csrf-limitations>` section.
.. setting:: CSRF_COOKIE_NAME .. setting:: CSRF_COOKIE_NAME
CSRF_COOKIE_NAME CSRF_COOKIE_NAME