Added clarifying note to docs for CSRF_COOKIE_DOMAIN

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16197 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 22:59:52 +00:00 · 2011-05-09 22:59:52 +00:00 · bf7af2be15
parent 8122ce7c76
commit bf7af2be15
2 changed files with 8 additions and 2 deletions
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@ -280,6 +280,8 @@ CSRF checks::
    >>> from django.test import Client
    >>> csrf_client = Client(enforce_csrf_checks=True)

+.. _csrf-limitations:
+
 Limitations
 ===========

--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@ -319,11 +319,15 @@ CSRF_COOKIE_DOMAIN
 Default: ``None``

 The domain to be used when setting the CSRF cookie.  This can be useful for
-allowing cross-subdomain requests to be exluded from the normal cross site
-request forgery protection.  It should be set to a string such as
+easily allowing cross-subdomain requests to be exluded from the normal cross
+site request forgery protection.  It should be set to a string such as
 ``".lawrence.com"`` to allow a POST request from a form on one subdomain to be
 accepted by accepted by a view served from another subdomain.

+Please note that the presence of this setting does not imply that Django's CSRF
+protection is safe from cross-subdomain attacks by default - please see the
+:ref:`CSRF limitations <csrf-limitations>` section.
+
 .. setting:: CSRF_COOKIE_NAME

 CSRF_COOKIE_NAME