diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2011-05-09 22:59:52 +0000 |
|---|---|---|
| committer | Luke Plant <L.Plant.98@cantab.net> | 2011-05-09 22:59:52 +0000 |
| commit | bf7af2be15a0844f5c1ae9a47cb75fc255e0eaf6 (patch) | |
| tree | 98a4a931c0e0cddc3ecec2b707c10255f7d3f4c3 /docs/ref | |
| parent | 8122ce7c766ab12d2d9bc5389514850ef7b22ac2 (diff) | |
Added clarifying note to docs for CSRF_COOKIE_DOMAIN
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16197 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/contrib/csrf.txt | 2 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 8 |
2 files changed, 8 insertions, 2 deletions
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 7ff7d53aa0..c3c01c0b06 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -280,6 +280,8 @@ CSRF checks:: >>> from django.test import Client >>> csrf_client = Client(enforce_csrf_checks=True) +.. _csrf-limitations: + Limitations =========== diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 3a28745598..f8a5e0f640 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -319,11 +319,15 @@ CSRF_COOKIE_DOMAIN Default: ``None`` The domain to be used when setting the CSRF cookie. This can be useful for -allowing cross-subdomain requests to be exluded from the normal cross site -request forgery protection. It should be set to a string such as +easily allowing cross-subdomain requests to be exluded from the normal cross +site request forgery protection. It should be set to a string such as ``".lawrence.com"`` to allow a POST request from a form on one subdomain to be accepted by accepted by a view served from another subdomain. +Please note that the presence of this setting does not imply that Django's CSRF +protection is safe from cross-subdomain attacks by default - please see the +:ref:`CSRF limitations <csrf-limitations>` section. + .. setting:: CSRF_COOKIE_NAME CSRF_COOKIE_NAME |
