8e675e2bd8
Fixed #30299 -- Removed jQuery dependency from getCookie() in CSRF docs.
2019-03-28 19:51:54 -04:00
9b15ff08ba
Used auto-numbered lists in documentation.
2018-11-15 13:54:28 -05:00
76b3367035
Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs.
2018-10-25 11:39:52 -04:00
a29fce8984
Fixed #29858 -- Clarified docs regarding CSRF token header name.
2018-10-18 19:44:15 -04:00
31407fa3b3
Removed duplicate words in docs.
...
.
2018-07-18 11:24:06 -04:00
35319bf12c
Alphabetized imports in various docs.
...
Follow-up of d97cce34097d3fe36c62
2018-05-12 19:37:42 +02:00
4660ce5a69
Fixed #29375 -- Removed empty action attribute on HTML forms.
2018-05-02 09:20:04 -04:00
9a56b4b13e
Fixed #27863 -- Added support for the SameSite cookie flag.
...
Thanks Alex Gaynor for contributing to the patch.
2018-04-13 20:58:31 -04:00
5446b72003
Removed versionadded/changed annotations for 1.11.
2017-09-22 12:51:18 -04:00
0af14b2eaa
Refs #16870 -- Doc'd that CSRF protection requires the Referer header.
2017-06-22 11:50:00 -04:00
01f658644a
Updated various links in docs to avoid redirects
...
Thanks Tim Graham and Mariusz Felisiak for review and completion.
2017-05-22 19:28:44 +02:00
503e944ac7
Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting.
2017-01-20 18:56:48 -05:00
e27e4c0339
Removed versionadded/changed annotations for 1.10.
2017-01-17 20:52:05 -05:00
ddf169cdac
Refs #16859 -- Allowed storing CSRF tokens in sessions.
...
Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-30 08:57:27 -05:00
222e1334bf
Used strict comparison in docs/ref/csrf.txt's JavaScript.
2016-06-28 12:51:51 -04:00
55fec16aaf
Fixed #26628 -- Changed CSRF logger to django.security.csrf.
2016-06-04 10:17:06 -04:00
9c53facc45
Fixed #26596 -- Added Jinja2 {{ csrf_input }} documentation.
2016-06-03 15:24:45 -04:00
261738990e
Added syntax highlighting to CSRF example.
2016-06-03 15:18:58 -04:00
ff9198ee0f
Refs #26628 -- Documented CSRF failure logging.
2016-06-02 20:42:41 -04:00
46a38307c2
Removed versionadded/changed annotations for 1.9.
2016-05-20 11:44:29 -04:00
5112e65ef2
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
...
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
9baf692a58
Fixed #26601 -- Improved middleware per DEP 0005.
...
Thanks Tim Graham for polishing the patch, updating the tests, and
writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-05-17 07:22:22 -04:00
ac77c55bc5
Fixed #26567 -- Updated references to obsolete RFC2616.
...
Didn't touch comments where it wasn't obvious that the code adhered to
the newer standard.
2016-05-03 11:14:40 -04:00
369fa471f4
Fixed #26201 -- Documented the consequences of rotating the CSRF token on login.
2016-04-05 11:02:38 -04:00
a1b1688c7d
Fixed #26165 -- Added some FAQs about CSRF protection.
...
Thanks Florian Apolloner and Shai Berger for review.
2016-03-01 08:45:05 -05:00
7a7b82e6f4
Fixed #26181 -- Corrected AngularJS CSRF example.
2016-02-09 09:22:23 -05:00
77974a684a
Changed `action="."` to `action=""` in tests and docs.
...
`action="."` strips query parameters from the URL which is not usually what
you want. Copy-paste coding of these examples could lead to difficult to
track down bugs or even data loss if the query parameter was meant to alter
the scope of a form's POST request.
2016-01-21 13:59:15 -05:00
6a4f13de27
Added docs about configuring CSRF support in AngularJS.
2016-01-15 10:14:52 -05:00
4d83b0163e
Fixed #25969 -- Replaced render_to_response() with render() in docs examples.
2015-12-23 09:14:32 -05:00
7aabd62380
Fixed #25778 -- Updated docs links to use https when available.
2015-12-01 08:01:34 -05:00
1f8dad6915
Fixed #25755 -- Unified spelling of "website".
2015-11-16 06:44:14 -05:00
b0c56b895f
Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
...
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
ab26b65b2f
Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.
...
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.
2015-09-05 09:19:57 -04:00
f9de197268
Recommended the JavaScript Cookie library instead of jQuery cookie.
...
jQuery cookie is no longer maintained in favor of the JavaScript
cookie library. This also removes the jQuery dependency.
2015-08-19 10:04:01 -04:00
08c980d752
Updated capitalization in the word "JavaScript" for consistency
2015-05-01 13:26:42 -04:00
668d53cd12
Fixed #21495 -- Added settings.CSRF_HEADER_NAME
2015-03-05 15:03:40 -05:00
9eb4f28e89
Deprecated TEMPLATE_CONTEXT_PROCESSORS.
2014-12-28 17:02:31 +01:00
92e8f1f302
Moved context_processors from django.core to django.template.
2014-12-28 17:00:07 +01:00
fa680ce1e2
Fixed #23825 -- Added links for decorating class-based views to the CSRF docs.
2014-11-15 19:33:39 +01:00
d3db878e4b
Moved CSRF docs out of contrib.
2014-11-03 07:47:39 -05:00
Tim Graham
François Freitag
Mayank Singhal
Maxime Lorant
Mariusz Felisiak
CHI Cheng
Alex Gaynor
Flávio Juvenal
Claude Paroz
Alasdair Nicol
Raphael Michel
Camilo Nova
Holly Becker
B. J. Potter
Shai Berger
Florian Apolloner
Vasiliy Faronov
Vaclav Ehrlich
acemaster
userimack
Luke Plant
Danilo Bargen
Jon Dufresne
Agnieszka Lasyk
Matt Robenolt
Joshua Kehn
Marc
Dave Hodder
Grzegorz Slusarek
Aymeric Augustin
Fabio Natali
Thomas Chaumeny