summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorMayank Singhal <17mayanksinghal@gmail.com>2018-10-25 01:52:57 +0530
committerTim Graham <timograham@gmail.com>2018-10-25 11:39:52 -0400
commit76b3367035889d87ffef7a52cd44d70e30537f6f (patch)
treeadfe242bfa9028f3e0cadd9336e8bdbb3c18dc1d /docs/ref
parentf1d163449396f8bab6c50f4b8b54829d139feda2 (diff)
Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/csrf.txt20
-rw-r--r--docs/ref/settings.txt5
2 files changed, 16 insertions, 9 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt
index 11edff2407..bb12e07c93 100644
--- a/docs/ref/csrf.txt
+++ b/docs/ref/csrf.txt
@@ -66,10 +66,13 @@ often easier because many JavaScript frameworks provide hooks that allow
headers to be set on every request.
First, you must get the CSRF token. How to do that depends on whether or not
-the :setting:`CSRF_USE_SESSIONS` setting is enabled.
+the :setting:`CSRF_USE_SESSIONS` and :setting:`CSRF_COOKIE_HTTPONLY` settings
+are enabled.
-Acquiring the token if :setting:`CSRF_USE_SESSIONS` is ``False``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.. _acquiring-csrf-token-from-cookie:
+
+Acquiring the token if :setting:`CSRF_USE_SESSIONS` and :setting:`CSRF_COOKIE_HTTPONLY` are ``False``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The recommended source for the token is the ``csrftoken`` cookie, which will be
set if you've enabled CSRF protection for your views as outlined above.
@@ -122,11 +125,14 @@ The above code could be simplified by using the `JavaScript Cookie library
Django provides a view decorator which forces setting of the cookie:
:func:`~django.views.decorators.csrf.ensure_csrf_cookie`.
-Acquiring the token if :setting:`CSRF_USE_SESSIONS` is ``True``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.. _acquiring-csrf-token-from-html:
+
+Acquiring the token if :setting:`CSRF_USE_SESSIONS` or :setting:`CSRF_COOKIE_HTTPONLY` is ``True``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-If you activate :setting:`CSRF_USE_SESSIONS`, you must include the CSRF token
-in your HTML and read the token from the DOM with JavaScript:
+If you activate :setting:`CSRF_USE_SESSIONS` or
+:setting:`CSRF_COOKIE_HTTPONLY`, you must include the CSRF token in your HTML
+and read the token from the DOM with JavaScript:
.. code-block:: html+django
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index cc2892077b..dd65e451c2 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -335,8 +335,9 @@ Although the setting offers little practical benefit, it's sometimes required
by security auditors.
If you enable this and need to send the value of the CSRF token with an AJAX
-request, your JavaScript must pull the value from a hidden CSRF token form
-input on the page instead of from the cookie.
+request, your JavaScript must pull the value :ref:`from a hidden CSRF token
+form input <acquiring-csrf-token-from-html>` instead of :ref:`from the cookie
+<acquiring-csrf-token-from-cookie>`.
See :setting:`SESSION_COOKIE_HTTPONLY` for details on ``HttpOnly``.