diff options
| author | Tim Graham <timograham@gmail.com> | 2021-01-12 19:55:02 -0500 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-03-18 20:00:22 +0100 |
| commit | dba44a7a7a3581ec722e06fa0f9f33dfc00ed5cd (patch) | |
| tree | a999c49d722b06cc70740b55be21c8f73ae343eb /docs/ref | |
| parent | 9bf5e9418f425666726559c9f1981a516da30aab (diff) | |
Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/checks.txt | 3 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 17 |
2 files changed, 16 insertions, 4 deletions
diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt index 6e787ef1a4..0dbd15b5c9 100644 --- a/docs/ref/checks.txt +++ b/docs/ref/checks.txt @@ -123,6 +123,9 @@ upgrading Django. * **2_0.W001**: Your URL pattern ``<pattern>`` has a ``route`` that contains ``(?P<``, begins with a ``^``, or ends with a ``$``. This was likely an oversight when migrating from ``url()`` to :func:`~django.urls.path`. +* **4_0.E001**: As of Django 4.0, the values in the + :setting:`CSRF_TRUSTED_ORIGINS` setting must start with a scheme (usually + ``http://`` or ``https://``) but found ``<hostname>``. Caches ------ diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 18eb941ce8..704bee63a4 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -457,15 +457,24 @@ should be ``'HTTP_X_XSRF_TOKEN'``. Default: ``[]`` (Empty list) -A list of hosts which are trusted origins for unsafe requests (e.g. ``POST``). +A list of trusted origins for unsafe requests (e.g. ``POST``). + For a :meth:`secure <django.http.HttpRequest.is_secure>` unsafe request, Django's CSRF protection requires that the request have a ``Referer`` header that matches the origin present in the ``Host`` header. This prevents, for example, a ``POST`` request from ``subdomain.example.com`` from succeeding against ``api.example.com``. If you need cross-origin unsafe requests over -HTTPS, continuing the example, add ``"subdomain.example.com"`` to this list. -The setting also supports subdomains, so you could add ``".example.com"``, for -example, to allow access from all subdomains of ``example.com``. +HTTPS, continuing the example, add ``'https://subdomain.example.com'`` to this +list (and/or ``http://...`` if requests originate from an insecure page). + +The setting also supports subdomains, so you could add +``'https://*.example.com'``, for example, to allow access from all subdomains +of ``example.com``. + +.. versionchanged:: 4.0 + + The values in older versions must only include the hostname (possibly with + a leading dot) and not the scheme or an asterisk. .. setting:: DATABASES |
