summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2021-01-12 19:55:02 -0500
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2021-03-18 20:00:22 +0100
commitdba44a7a7a3581ec722e06fa0f9f33dfc00ed5cd (patch)
treea999c49d722b06cc70740b55be21c8f73ae343eb /docs/ref
parent9bf5e9418f425666726559c9f1981a516da30aab (diff)
Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/checks.txt3
-rw-r--r--docs/ref/settings.txt17
2 files changed, 16 insertions, 4 deletions
diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt
index 6e787ef1a4..0dbd15b5c9 100644
--- a/docs/ref/checks.txt
+++ b/docs/ref/checks.txt
@@ -123,6 +123,9 @@ upgrading Django.
* **2_0.W001**: Your URL pattern ``<pattern>`` has a ``route`` that contains
``(?P<``, begins with a ``^``, or ends with a ``$``. This was likely an
oversight when migrating from ``url()`` to :func:`~django.urls.path`.
+* **4_0.E001**: As of Django 4.0, the values in the
+ :setting:`CSRF_TRUSTED_ORIGINS` setting must start with a scheme (usually
+ ``http://`` or ``https://``) but found ``<hostname>``.
Caches
------
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 18eb941ce8..704bee63a4 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -457,15 +457,24 @@ should be ``'HTTP_X_XSRF_TOKEN'``.
Default: ``[]`` (Empty list)
-A list of hosts which are trusted origins for unsafe requests (e.g. ``POST``).
+A list of trusted origins for unsafe requests (e.g. ``POST``).
+
For a :meth:`secure <django.http.HttpRequest.is_secure>` unsafe
request, Django's CSRF protection requires that the request have a ``Referer``
header that matches the origin present in the ``Host`` header. This prevents,
for example, a ``POST`` request from ``subdomain.example.com`` from succeeding
against ``api.example.com``. If you need cross-origin unsafe requests over
-HTTPS, continuing the example, add ``"subdomain.example.com"`` to this list.
-The setting also supports subdomains, so you could add ``".example.com"``, for
-example, to allow access from all subdomains of ``example.com``.
+HTTPS, continuing the example, add ``'https://subdomain.example.com'`` to this
+list (and/or ``http://...`` if requests originate from an insecure page).
+
+The setting also supports subdomains, so you could add
+``'https://*.example.com'``, for example, to allow access from all subdomains
+of ``example.com``.
+
+.. versionchanged:: 4.0
+
+ The values in older versions must only include the hostname (possibly with
+ a leading dot) and not the scheme or an asterisk.
.. setting:: DATABASES