Commit Graph

74 Commits

Author SHA1 Message Date
Tim Graham 63670a474c Removed a CSRF example for jQuery < 1.5. 2014-06-18 14:58:50 -04:00
Tim Graham 0be4d64487 Fixed #22859 -- Improved crossDomain technique in CSRF example.
Thanks flisky for the report.
2014-06-18 14:35:38 -04:00
Tim Graham dd55132643 Removed extras/csrf_migration_helper.py 2014-06-09 11:53:09 -04:00
Roger Hu 9b729ddd8f Fixed #22185 -- Added settings.CSRF_COOKIE_AGE
Thanks Paul McMillan for the review.
2014-03-06 08:28:43 -05:00
Ian Foote af64f829d7 Fix typo CRSF -> CSRF 2014-01-29 16:54:02 +00:00
Alasdair Nicol 81f454a322 Update link to jQuery Cookie plugin site 2013-05-24 14:36:17 +01:00
Silvan Spross 6a479955f0 Add missing imports and models to the examples in security documentation 2013-05-19 13:29:49 +02:00
Tim Graham 93cffc3b37 Added missing markup to docs. 2013-03-22 13:50:07 -04:00
Aymeric Augustin 720888a146 Fixed #15808 -- Added optional HttpOnly flag to the CSRF Cookie.
Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch.
2013-02-07 09:48:08 +01:00
Tim Graham ba50d3e05b Fixed #14633 - Organized settings reference docs and added a topical index.
Thanks Gabriel Hurley for the original idea
and adamv for the draft patch.
2013-01-12 18:44:53 -05:00
Aymeric Augustin 7ee7599ab3 Removed versionadded/changed annotations dating back to 1.4. 2012-12-29 21:59:08 +01:00
Tim Graham 15202baace Fixed #17058 - Clarified where extras/csrf_migration_helper.py is located 2012-09-29 16:41:55 -04:00
Tim Graham e376558ed2 Fixed #16936 - Updated javascript for CSRF protection.
Thanks Idan Gazit for the patch.
2012-09-01 06:03:01 -04:00
Aymeric Augustin c28e700c7e Removed references to changes made in 1.2.
Thanks Florian Apolloner for the patch.
2012-06-07 15:02:35 +02:00
Aymeric Augustin 17f3e9258e Fixed #18397 -- Avoided referencing lawrence.com.
This commit includes multiple small related changes, see the ticket
for a full discussion.
2012-06-07 11:50:20 +02:00
Carl Meyer 8cadf1d79a Fixed #17790 - Made the Ajax CSRF jQuery example work with jQuery in compatibility mode, too. Thanks Jonathan Hayward for the suggestion.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17623 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-02 16:06:11 +00:00
Luke Plant 0447cc1231 Added versionadded info for ensure_csrf_cookie decorator
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17594 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-27 14:40:36 +00:00
Luke Plant 59b2439e7e Fixed ReST typo in CSRF docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17593 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-27 14:40:27 +00:00
Adrian Holovaty 937213c2c3 Edited csrf.txt changes from [17299]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17309 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-30 20:36:54 +00:00
Aymeric Augustin 39201d8fe5 Fixed #16704 -- Documented how to insert the CSRF token outside of Django's own template engine. Thanks paulcwatts and bpeschier for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17299 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-30 14:55:44 +00:00
Timo Graham c29e089000 Fixed #17105 - Typos in docs/ref/contrib/csrf.txt; thanks googol for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17109 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-19 10:53:26 +00:00
Luke Plant d1e5c55258 Fixed many more ReST indentation errors, somehow accidentally missed from [16955]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16983 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-10-14 00:12:01 +00:00
Ramiro Morales 932b1b8d6d Converted links to external topics so they use intersphinx extension markup.
This allows to make these links more resilent to changes in the target URLs.
Thanks Jannis for the report and Aymeric Augustin for the patch.

Fixes #16586.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16720 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-04 21:17:30 +00:00
Jannis Leidel 566b3295fa Fixed #16621 -- Fixed lots of typos in the docs. Thanks, Bernhard Essl.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16615 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-13 11:58:19 +00:00
Timo Graham f3bf62230a Fixed #16606 - Typo in docs/ref/contrib/csrf.txt; thanks selwin.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16612 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-13 11:25:57 +00:00
Brian Rosner 99cd76e273 Added a note about the AJAX CSRF example not working on jQuery 1.5
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16543 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-14 18:36:05 +00:00
Carl Meyer 0e03a504bf Refs #15855 -- Recommended the csrf_protect decorator rather than vary_on_cookie as workaround for cache_page caching the response before it gets to middleware.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16361 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-10 16:18:40 +00:00
Luke Plant 528157ce73 Fixed #14201 - Add a "security overview" page to the docs
Thanks to davidfischer for the initial patch!

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16360 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-10 15:14:36 +00:00
Ramiro Morales 50ad59527c Tweaked some `render_to_response` links in the documentation.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16255 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-21 18:36:01 +00:00
Simon Meers 5ecb88c146 Fixed #16014 -- numerous documentation typos -- thanks psmith.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16220 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-13 04:33:42 +00:00
Luke Plant 396bc58889 Updated AJAX example code in CSRF docs to be consistent regarding what are safe HTTP methods
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16202 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:46:02 +00:00
Luke Plant cb060f0f34 Fixed #15258 - Ajax CSRF protection doesn't apply to PUT or DELETE requests
Thanks to brodie for the report, and further input from tow21

This is a potentially backwards incompatible change - if you were doing
PUT/DELETE requests and relying on the lack of protection, you will need to
update your code, as noted in the releaste notes.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16201 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:45:54 +00:00
Luke Plant 8cbcf1d3a6 Fixed #14134 - ability to set cookie 'path' and 'secure' attributes of CSRF cookie
Thanks to cfattarsi for the report and initial patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16200 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:00:22 +00:00
Luke Plant a75120927e Added 'settings' section to CSRF docs, eliminating the unneeded 'Subdomains' section
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16199 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:00:10 +00:00
Luke Plant d3641d889b Clarified wording about use of 2 decorators in CSRF docs
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16198 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:00:02 +00:00
Luke Plant bf7af2be15 Added clarifying note to docs for CSRF_COOKIE_DOMAIN
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16197 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 22:59:52 +00:00
Luke Plant b6c5f8060d Fixed #15354 - provide method to ensure CSRF token is always available for AJAX requests
Thanks to sayane for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16192 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 21:35:24 +00:00
Luke Plant e9342e9b32 Fixed #15469 - CSRF token is inserted on GET requests
Thanks to goran for report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16191 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 19:06:57 +00:00
Luke Plant 7c648ea4aa Mentioned simplification of AJAX example code in CSRF docs.
Refs #15469. Thanks to aaugustin for the suggestion

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16190 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 19:06:49 +00:00
Luke Plant 5df93d529d Documented the edge case of needing a view that is partly CSRF protected
Refs #15518.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16189 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 18:27:52 +00:00
Luke Plant b5da093fa9 In CSRF docs, moved 'Exceptions' section to 'Edge cases', and cleaned up some associated markup
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16188 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 18:27:45 +00:00
Luke Plant eadcbcb131 Fixed #15518 - documented requires_csrf_token
Thanks to vzima for a report that raised the issue.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16187 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 18:27:36 +00:00
Luke Plant 1d350a6c51 Changed an example in CSRF docs to use new 'render' shortcut
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16186 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 18:27:28 +00:00
Luke Plant ae1866ddef Fixed #15869 - example AJAX code in CSRF docs fails sometimes for IE7 or absolute same origin URLs
Thanks to nick for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16183 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 15:40:01 +00:00
Luke Plant 96520e87bd Corrected factual error regarding logging in the CSRF docs
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16047 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-20 11:39:10 +00:00
Luke Plant 8823021625 Removed deprecated CsrfResponseMiddleware, and corresponding tests and docs
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15949 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:34:26 +00:00
Luke Plant 37343bac8a Removed example CSRF jQuery code from release notes, replacing with link to improved code in the CSRF docs
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15628 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-22 11:27:58 +00:00
Luke Plant d068a04244 Fixed #15284 - improved example jQuery code for adding X-CSRF-Token
Using the ajaxSend event is better than beforeSend, because the beforeSend
callback can have only one value, which makes it painful if it is needed by
multiple bits of javascript.

Thanks to LukeMaurer for report and initial patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15515 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-12 23:37:35 +00:00
Alex Gaynor 208630aa4b Fixed a security issue in the CSRF component. Disclosure and new release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:06:27 +00:00
Timo Graham 2ea93f9327 Fixed #14000 - remove versionadded/changed tags for Django 1.0 and 1.1
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15055 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-26 00:37:14 +00:00