diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py index e307c25536..aed3b3a21b 100644 --- a/django/conf/global_settings.py +++ b/django/conf/global_settings.py @@ -301,12 +301,10 @@ DEFAULT_INDEX_TABLESPACE = '' # this middleware classes will be applied in the order given, and in the # response phase the middleware will be applied in reverse order. MIDDLEWARE_CLASSES = ( -# 'django.middleware.gzip.GZipMiddleware', - 'django.contrib.csrf.middleware.CsrfViewMiddleware', - 'django.contrib.csrf.middleware.CsrfResponseMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', # 'django.middleware.http.ConditionalGetMiddleware', +# 'django.middleware.gzip.GZipMiddleware', 'django.middleware.common.CommonMiddleware', ) diff --git a/django/conf/project_template/settings.py b/django/conf/project_template/settings.py index 4aec1b8c11..bbf005ddea 100644 --- a/django/conf/project_template/settings.py +++ b/django/conf/project_template/settings.py @@ -59,8 +59,6 @@ TEMPLATE_LOADERS = ( MIDDLEWARE_CLASSES = ( 'django.middleware.common.CommonMiddleware', - 'django.contrib.csrf.middleware.CsrfViewMiddleware', - 'django.contrib.csrf.middleware.CsrfResponseMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', ) diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index afc86d2383..1b6b6102de 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -7,47 +7,46 @@ Cross Site Request Forgery protection .. module:: django.contrib.csrf :synopsis: Protects against Cross Site Request Forgeries -The CsrfMiddleware classes provides easy-to-use protection against -`Cross Site Request Forgeries`_. This type of attack occurs when a -malicious Web site creates a link or form button that is intended to -perform some action on your Web site, using the credentials of a -logged-in user who is tricked into clicking on the link in their -browser. +The CsrfMiddleware class provides easy-to-use protection against +`Cross Site Request Forgeries`_. This type of attack occurs when a malicious +Web site creates a link or form button that is intended to perform some action +on your Web site, using the credentials of a logged-in user who is tricked +into clicking on the link in their browser. The first defense against CSRF attacks is to ensure that GET requests -are side-effect free. POST requests can then be protected by adding -these middleware into your list of installed middleware. +are side-effect free. POST requests can then be protected by adding this +middleware into your list of installed middleware. .. _Cross Site Request Forgeries: http://www.squarefree.com/securitytips/web-developers.html#CSRF How to use it ============= -Add the middleware -``'django.contrib.csrf.middleware.CsrfViewMiddleware'`` and -``'django.contrib.csrf.middleware.CsrfResponseMiddleware'`` to your -list of middleware classes, -:setting:`MIDDLEWARE_CLASSES`. ``CsrfResponseMiddleware`` needs to -process the response after the ``SessionMiddleware``, so must come -before it in the list. It also must process the response before -things like compression happen to the response, so it must come after -``GZipMiddleware`` in the list. +Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to +your list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process +the response after the SessionMiddleware, so must come before it in the +list. It also must process the response before things like compression +happen to the response, so it must come after GZipMiddleware in the +list. -The ``CsrfMiddleware`` class, which combines the two classes, is also -available, for backwards compatibility with Django 1.0. +The ``CsrfMiddleware`` class is actually composed of two middleware: +``CsrfViewMiddleware`` which performs the checks on incoming requests, +and ``CsrfResponseMiddleware`` which performs post-processing of the +result. This allows the individual components to be used and/or +replaced instead of using ``CsrfMiddleware``. .. versionchanged:: 1.1 - previous versions of Django did not provide these two components - of ``CsrfMiddleware`` as described above. + (previous versions of Django did not provide these two components + of ``CsrfMiddleware`` as described above) Exceptions ---------- .. versionadded:: 1.1 -To manually exclude a view function from being handled by either of -the two CSRF middleware, you can use the ``csrf_exempt`` decorator, -found in the ``django.contrib.csrf.middleware`` module. For example:: +To manually exclude a view function from being handled by the +CsrfMiddleware, you can use the ``csrf_exempt`` decorator, found in +the ``django.contrib.csrf.middleware`` module. For example:: from django.contrib.csrf.middleware import csrf_exempt @@ -55,12 +54,12 @@ found in the ``django.contrib.csrf.middleware`` module. For example:: return HttpResponse('Hello world') my_view = csrf_exempt(my_view) -Like the middleware, the ``csrf_exempt`` decorator is composed of two -parts: a ``csrf_view_exempt`` decorator and a ``csrf_response_exempt`` -decorator, found in the same module. These disable the view -protection mechanism (``CsrfViewMiddleware``) and the response -post-processing (``CsrfResponseMiddleware``) respectively. They can -be used individually if required. +Like the middleware itself, the ``csrf_exempt`` decorator is composed +of two parts: a ``csrf_view_exempt`` decorator and a +``csrf_response_exempt`` decorator, found in the same module. These +disable the view protection mechanism (``CsrfViewMiddleware``) and the +response post-processing (``CsrfResponseMiddleware``) respectively. +They can be used individually if required. You don't have to worry about doing this for most AJAX views. Any request sent with "X-Requested-With: XMLHttpRequest" is automatically @@ -69,7 +68,7 @@ exempt. (See the next section.) How it works ============ -The CSRF middleware do two things: +CsrfMiddleware does two things: 1. It modifies outgoing requests by adding a hidden form field to all 'POST' forms, with the name 'csrfmiddlewaretoken' and a value which is @@ -113,9 +112,9 @@ don't trust content within the same domain or subdomains.) Limitations =========== -These middleware require Django's session framework to work. If you -have a custom authentication system that manually sets cookies and the -like, it won't help you. +CsrfMiddleware requires Django's session framework to work. If you have +a custom authentication system that manually sets cookies and the like, +it won't help you. If your app creates HTML pages and forms in some unusual way, (e.g. it sends fragments of HTML in JavaScript document.write statements) diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 086ad04efb..7652249514 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -760,11 +760,10 @@ MIDDLEWARE_CLASSES Default:: - ("django.contrib.csrf.middleware.CsrfViewMiddleware", - "django.contrib.csrf.middleware.CsrfResponseMiddleware", - "django.contrib.sessions.middleware.SessionMiddleware", + ("django.contrib.sessions.middleware.SessionMiddleware", "django.contrib.auth.middleware.AuthenticationMiddleware", - "django.middleware.common.CommonMiddleware") + "django.middleware.common.CommonMiddleware", + "django.middleware.doc.XViewMiddleware") A tuple of middleware classes to use. See :ref:`topics-http-middleware`. diff --git a/docs/topics/http/middleware.txt b/docs/topics/http/middleware.txt index bafdd65484..54d4c42194 100644 --- a/docs/topics/http/middleware.txt +++ b/docs/topics/http/middleware.txt @@ -28,10 +28,9 @@ created by :djadmin:`django-admin.py startproject `:: MIDDLEWARE_CLASSES = ( 'django.middleware.common.CommonMiddleware', - 'django.contrib.csrf.middleware.CsrfViewMiddleware', - 'django.contrib.csrf.middleware.CsrfResponseMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', + 'django.middleware.doc.XViewMiddleware', ) During the request phases (:meth:`process_request` and :meth:`process_view`