mirror of https://github.com/django/django.git
Added clarifying note to docs for CSRF_COOKIE_DOMAIN
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16197 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
8122ce7c76
commit
bf7af2be15
|
@ -280,6 +280,8 @@ CSRF checks::
|
|||
>>> from django.test import Client
|
||||
>>> csrf_client = Client(enforce_csrf_checks=True)
|
||||
|
||||
.. _csrf-limitations:
|
||||
|
||||
Limitations
|
||||
===========
|
||||
|
||||
|
|
|
@ -319,11 +319,15 @@ CSRF_COOKIE_DOMAIN
|
|||
Default: ``None``
|
||||
|
||||
The domain to be used when setting the CSRF cookie. This can be useful for
|
||||
allowing cross-subdomain requests to be exluded from the normal cross site
|
||||
request forgery protection. It should be set to a string such as
|
||||
easily allowing cross-subdomain requests to be exluded from the normal cross
|
||||
site request forgery protection. It should be set to a string such as
|
||||
``".lawrence.com"`` to allow a POST request from a form on one subdomain to be
|
||||
accepted by accepted by a view served from another subdomain.
|
||||
|
||||
Please note that the presence of this setting does not imply that Django's CSRF
|
||||
protection is safe from cross-subdomain attacks by default - please see the
|
||||
:ref:`CSRF limitations <csrf-limitations>` section.
|
||||
|
||||
.. setting:: CSRF_COOKIE_NAME
|
||||
|
||||
CSRF_COOKIE_NAME
|
||||
|
|
Loading…
Reference in New Issue