mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-09-26 12:09:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.

Browse source
This commit is contained in:
Tim Graham 2021-01-12 19:55:02 -05:00 committed by Mariusz Felisiak
parent 9bf5e9418f
commit dba44a7a7a
8 changed files with 89 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

3
docs/ref/checks.txt
View file

@ -123,6 +123,9 @@ upgrading Django.
* **2_0.W001**: Your URL pattern ``<pattern>`` has a ``route`` that contains
``(?P<``, begins with a ``^``, or ends with a ``$``. This was likely an
oversight when migrating from ``url()`` to :func:`~django.urls.path`.
* **4_0.E001**: As of Django 4.0, the values in the
:setting:`CSRF_TRUSTED_ORIGINS` setting must start with a scheme (usually
``http://`` or ``https://``) but found ``<hostname>``.
Caches
------

17
docs/ref/settings.txt
View file

@ -457,15 +457,24 @@ should be ``'HTTP_X_XSRF_TOKEN'``.
Default: ``[]`` (Empty list)
A list of hosts which are trusted origins for unsafe requests (e.g. ``POST``).
A list of trusted origins for unsafe requests (e.g. ``POST``).
For a :meth:`secure <django.http.HttpRequest.is_secure>` unsafe
request, Django's CSRF protection requires that the request have a ``Referer``
header that matches the origin present in the ``Host`` header. This prevents,
for example, a ``POST`` request from ``subdomain.example.com`` from succeeding
against ``api.example.com``. If you need cross-origin unsafe requests over
HTTPS, continuing the example, add ``"subdomain.example.com"`` to this list.
The setting also supports subdomains, so you could add ``".example.com"``, for
example, to allow access from all subdomains of ``example.com``.
HTTPS, continuing the example, add ``'https://subdomain.example.com'`` to this
list (and/or ``http://...`` if requests originate from an insecure page).
The setting also supports subdomains, so you could add
``'https://*.example.com'``, for example, to allow access from all subdomains
of ``example.com``.
.. versionchanged:: 4.0
The values in older versions must only include the hostname (possibly with
a leading dot) and not the scheme or an asterisk.
.. setting:: DATABASES

16
docs/releases/4.0.txt
View file

@ -307,6 +307,22 @@ Upstream support for Oracle 12.2 ends in March 2022 and for Oracle 18c it ends
in June 2021. Django 3.2 will be supported until April 2024. Django 4.0
officially supports Oracle 19c.
.. _csrf-trusted-origins-changes-4.0:
``CSRF_TRUSTED_ORIGINS`` changes
--------------------------------
Format change
~~~~~~~~~~~~~
Values in the :setting:`CSRF_TRUSTED_ORIGINS` setting must include the scheme
(e.g. ``'http://'`` or ``'https://'``) instead of only the hostname.
Also, values that started with a dot, must now also include an asterisk before
the dot. For example, change ``'.example.com'`` to ``'https://*.example.com'``.
A system check detects any required changes.
Miscellaneous
-------------