summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2011-05-09 22:59:52 +0000
committerLuke Plant <L.Plant.98@cantab.net>2011-05-09 22:59:52 +0000
commitbf7af2be15a0844f5c1ae9a47cb75fc255e0eaf6 (patch)
tree98a4a931c0e0cddc3ecec2b707c10255f7d3f4c3
parent8122ce7c766ab12d2d9bc5389514850ef7b22ac2 (diff)
Added clarifying note to docs for CSRF_COOKIE_DOMAIN
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16197 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r--docs/ref/contrib/csrf.txt2
-rw-r--r--docs/ref/settings.txt8
2 files changed, 8 insertions, 2 deletions
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
index 7ff7d53aa0..c3c01c0b06 100644
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@@ -280,6 +280,8 @@ CSRF checks::
>>> from django.test import Client
>>> csrf_client = Client(enforce_csrf_checks=True)
+.. _csrf-limitations:
+
Limitations
===========
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 3a28745598..f8a5e0f640 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -319,11 +319,15 @@ CSRF_COOKIE_DOMAIN
Default: ``None``
The domain to be used when setting the CSRF cookie. This can be useful for
-allowing cross-subdomain requests to be exluded from the normal cross site
-request forgery protection. It should be set to a string such as
+easily allowing cross-subdomain requests to be exluded from the normal cross
+site request forgery protection. It should be set to a string such as
``".lawrence.com"`` to allow a POST request from a form on one subdomain to be
accepted by accepted by a view served from another subdomain.
+Please note that the presence of this setting does not imply that Django's CSRF
+protection is safe from cross-subdomain attacks by default - please see the
+:ref:`CSRF limitations <csrf-limitations>` section.
+
.. setting:: CSRF_COOKIE_NAME
CSRF_COOKIE_NAME