Added a reference for the claim in CSRF docs that GET requests
should be side-effect free. git-svn-id: http://code.djangoproject.com/svn/django/trunk@5902 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant
parent
296d8d4553
commit
c568792e81
|
|
@ -41,10 +41,10 @@ CsrfMiddleware does two things:
|
||||||
This ensures that only forms that have originated from your web site
|
This ensures that only forms that have originated from your web site
|
||||||
can be used to POST data back.
|
can be used to POST data back.
|
||||||
|
|
||||||
It deliberately only targets HTTP POST requests (and the corresponding
|
It deliberately only targets HTTP POST requests (and the corresponding POST
|
||||||
POST forms). GET requests ought never to have side effects (if you are
|
forms). GET requests ought never to have any potentially dangerous side
|
||||||
using HTTP GET and POST correctly), and so a CSRF attack with a GET
|
effects (see `9.1.1 Safe Methods, HTTP 1.1, RFC 2616`_), and so a
|
||||||
request will always be harmless.
|
CSRF attack with a GET request ought to be harmless.
|
||||||
|
|
||||||
POST requests that are not accompanied by a session cookie are not protected,
|
POST requests that are not accompanied by a session cookie are not protected,
|
||||||
but they do not need to be protected, since the 'attacking' web site
|
but they do not need to be protected, since the 'attacking' web site
|
||||||
|
|
@ -54,6 +54,8 @@ The Content-Type is checked before modifying the response, and only
|
||||||
pages that are served as 'text/html' or 'application/xml+xhtml'
|
pages that are served as 'text/html' or 'application/xml+xhtml'
|
||||||
are modified.
|
are modified.
|
||||||
|
|
||||||
|
.. _9.1.1 Safe Methods, HTTP 1.1, RFC 2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
|
||||||
|
|
||||||
Limitations
|
Limitations
|
||||||
===========
|
===========
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue