p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Added clarifying note to docs for CSRF_COOKIE_DOMAIN 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16197 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2011-05-09 22:59:52 +00:00
parent 8122ce7c76
commit bf7af2be15
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/ref/contrib/csrf.txt
View File

@ -280,6 +280,8 @@ CSRF checks::
>>> from django.test import Client >>> from django.test import Client
>>> csrf_client = Client(enforce_csrf_checks=True) >>> csrf_client = Client(enforce_csrf_checks=True)
.. _csrf-limitations:
Limitations Limitations
=========== ===========

8
docs/ref/settings.txt
View File

@ -319,11 +319,15 @@ CSRF_COOKIE_DOMAIN
Default: ``None`` Default: ``None``
The domain to be used when setting the CSRF cookie. This can be useful for The domain to be used when setting the CSRF cookie. This can be useful for
allowing cross-subdomain requests to be exluded from the normal cross site easily allowing cross-subdomain requests to be exluded from the normal cross
request forgery protection. It should be set to a string such as site request forgery protection. It should be set to a string such as
``".lawrence.com"`` to allow a POST request from a form on one subdomain to be ``".lawrence.com"`` to allow a POST request from a form on one subdomain to be
accepted by accepted by a view served from another subdomain. accepted by accepted by a view served from another subdomain.
Please note that the presence of this setting does not imply that Django's CSRF
protection is safe from cross-subdomain attacks by default - please see the
:ref:`CSRF limitations <csrf-limitations>` section.
.. setting:: CSRF_COOKIE_NAME .. setting:: CSRF_COOKIE_NAME
CSRF_COOKIE_NAME CSRF_COOKIE_NAME