mirror of https://github.com/django/django.git
[3.0.x] Fixed #31029 -- Used more specific links to RFCs.
Backport of ff1b19da67
from master
This commit is contained in:
parent
c0fe08d470
commit
81ddf4b164
|
@ -298,10 +298,11 @@ This ensures that only forms that have originated from trusted domains can be
|
|||
used to POST data back.
|
||||
|
||||
It deliberately ignores GET requests (and other requests that are defined as
|
||||
'safe' by :rfc:`7231`). These requests ought never to have any potentially
|
||||
dangerous side effects , and so a CSRF attack with a GET request ought to be
|
||||
harmless. :rfc:`7231` defines POST, PUT, and DELETE as 'unsafe', and all other
|
||||
methods are also assumed to be unsafe, for maximum protection.
|
||||
'safe' by :rfc:`7231#section-4.2.1`). These requests ought never to have any
|
||||
potentially dangerous side effects, and so a CSRF attack with a GET request
|
||||
ought to be harmless. :rfc:`7231#section-4.2.1` defines POST, PUT, and DELETE
|
||||
as 'unsafe', and all other methods are also assumed to be unsafe, for maximum
|
||||
protection.
|
||||
|
||||
The CSRF protection cannot protect against man-in-the-middle attacks, so use
|
||||
:ref:`HTTPS <security-recommendation-ssl>` with
|
||||
|
|
|
@ -755,8 +755,8 @@ track down every place that the URL might be created. Specify it once, in
|
|||
|
||||
.. note::
|
||||
The string you return from ``get_absolute_url()`` **must** contain only
|
||||
ASCII characters (required by the URI specification, :rfc:`2396`) and be
|
||||
URL-encoded, if necessary.
|
||||
ASCII characters (required by the URI specification, :rfc:`2396#section-2`)
|
||||
and be URL-encoded, if necessary.
|
||||
|
||||
Code and templates calling ``get_absolute_url()`` should be able to use the
|
||||
result directly without any further processing. You may wish to use the
|
||||
|
|
|
@ -825,9 +825,9 @@ Methods
|
|||
JavaScript from having access to the cookie.
|
||||
|
||||
HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's
|
||||
part of the :rfc:`6265` standard for cookies and can be a useful way to
|
||||
mitigate the risk of a client-side script accessing the protected cookie
|
||||
data.
|
||||
part of the :rfc:`RFC 6265 <6265#section-4.1.2.6>` standard for cookies
|
||||
and can be a useful way to mitigate the risk of a client-side script
|
||||
accessing the protected cookie data.
|
||||
* Use ``samesite='Strict'`` or ``samesite='Lax'`` to tell the browser not
|
||||
to send this cookie when performing a cross-origin request. `SameSite`_
|
||||
isn't supported by all browsers, so it's not a replacement for Django's
|
||||
|
@ -838,11 +838,11 @@ Methods
|
|||
|
||||
.. warning::
|
||||
|
||||
:rfc:`6265` states that user agents should support cookies of at least
|
||||
4096 bytes. For many browsers this is also the maximum size. Django
|
||||
will not raise an exception if there's an attempt to store a cookie of
|
||||
more than 4096 bytes, but many browsers will not set the cookie
|
||||
correctly.
|
||||
:rfc:`RFC 6265 <6265#section-6.1>` states that user agents should
|
||||
support cookies of at least 4096 bytes. For many browsers this is also
|
||||
the maximum size. Django will not raise an exception if there's an
|
||||
attempt to store a cookie of more than 4096 bytes, but many browsers
|
||||
will not set the cookie correctly.
|
||||
|
||||
.. method:: HttpResponse.set_signed_cookie(key, value, salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False, samesite=None)
|
||||
|
||||
|
|
|
@ -2751,7 +2751,7 @@ preference to the ``Host`` header. This should only be enabled if a proxy
|
|||
which sets this header is in use.
|
||||
|
||||
This setting takes priority over :setting:`USE_X_FORWARDED_PORT`. Per
|
||||
:rfc:`7239#page-7`, the ``X-Forwarded-Host`` header can include the port
|
||||
:rfc:`7239#section-5.3`, the ``X-Forwarded-Host`` header can include the port
|
||||
number, in which case you shouldn't use :setting:`USE_X_FORWARDED_PORT`.
|
||||
|
||||
.. setting:: USE_X_FORWARDED_PORT
|
||||
|
@ -3073,8 +3073,8 @@ Whether to use ``HttpOnly`` flag on the session cookie. If this is set to
|
|||
cookie.
|
||||
|
||||
HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's part of
|
||||
the :rfc:`6265` standard for cookies and can be a useful way to mitigate the
|
||||
risk of a client-side script accessing the protected cookie data.
|
||||
the :rfc:`6265#section-4.1.2.6` standard for cookies and can be a useful way to
|
||||
mitigate the risk of a client-side script accessing the protected cookie data.
|
||||
|
||||
This makes it less trivial for an attacker to escalate a cross-site scripting
|
||||
vulnerability into full hijacking of a user's session. There aren't many good
|
||||
|
|
|
@ -1417,7 +1417,8 @@ Format character Description Example output
|
|||
the "c" formatter will not add timezone
|
||||
offset if value is a naive datetime
|
||||
(see :class:`datetime.tzinfo`).
|
||||
``r`` :rfc:`5322` formatted date. ``'Thu, 21 Dec 2000 16:01:07 +0200'``
|
||||
``r`` :rfc:`RFC 5322 <5322#section-3.3>` ``'Thu, 21 Dec 2000 16:01:07 +0200'``
|
||||
formatted date.
|
||||
``U`` Seconds since the Unix Epoch
|
||||
(January 1 1970 00:00:00 UTC).
|
||||
================ ======================================== =====================
|
||||
|
|
|
@ -699,8 +699,8 @@ escaping HTML.
|
|||
|
||||
.. function:: http_date(epoch_seconds=None)
|
||||
|
||||
Formats the time to match the :rfc:`1123` date format as specified by HTTP
|
||||
:rfc:`7231#section-7.1.1.1`.
|
||||
Formats the time to match the :rfc:`1123#section-5.2.14` date format as
|
||||
specified by HTTP :rfc:`7231#section-7.1.1.1`.
|
||||
|
||||
Accepts a floating point number expressed in seconds since the epoch in
|
||||
UTC--such as that outputted by ``time.time()``. If set to ``None``,
|
||||
|
|
|
@ -154,7 +154,8 @@ to, or in lieu of custom ``field.clean()`` methods.
|
|||
an error code of ``'invalid'`` if it doesn't.
|
||||
|
||||
Loopback addresses and reserved IP spaces are considered valid. Literal
|
||||
IPv6 addresses (:rfc:`2732`) and unicode domains are both supported.
|
||||
IPv6 addresses (:rfc:`3986#section-3.2.2`) and unicode domains are both
|
||||
supported.
|
||||
|
||||
In addition to the optional arguments of its parent :class:`RegexValidator`
|
||||
class, ``URLValidator`` accepts an extra optional attribute:
|
||||
|
|
Loading…
Reference in New Issue