diff options
| author | Aymeric Augustin <aymeric.augustin@m4x.org> | 2013-02-07 09:48:08 +0100 |
|---|---|---|
| committer | Aymeric Augustin <aymeric.augustin@m4x.org> | 2013-02-07 09:48:08 +0100 |
| commit | 720888a14699a80a6cd07d32514b9dcd5b1005fb (patch) | |
| tree | ff67a0a1af00fc2568caf7544fddeaeb7258c352 /docs | |
| parent | 6afc85af47f7d9f4494519de8842111734a61459 (diff) | |
Fixed #15808 -- Added optional HttpOnly flag to the CSRF Cookie.
Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/contrib/csrf.txt | 1 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 13 | ||||
| -rw-r--r-- | docs/releases/1.6.txt | 3 |
3 files changed, 17 insertions, 0 deletions
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 3ad16e2f97..14522d8dbc 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -491,6 +491,7 @@ Settings A number of settings can be used to control Django's CSRF behavior: * :setting:`CSRF_COOKIE_DOMAIN` +* :setting:`CSRF_COOKIE_HTTPONLY` * :setting:`CSRF_COOKIE_NAME` * :setting:`CSRF_COOKIE_PATH` * :setting:`CSRF_COOKIE_SECURE` diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index d4c6868ced..9a615b2d99 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -281,6 +281,19 @@ Please note that the presence of this setting does not imply that Django's CSRF protection is safe from cross-subdomain attacks by default - please see the :ref:`CSRF limitations <csrf-limitations>` section. +.. setting:: CSRF_COOKIE_HTTPONLY + +CSRF_COOKIE_HTTPONLY +-------------------- + +.. versionadded:: 1.6 + +Default: ``False`` + +Whether to use HttpOnly flag on the CSRF cookie. If this is set to ``True``, +client-side JavaScript will not to be able to access the CSRF cookie. See +:setting:`SESSION_COOKIE_HTTPONLY` for details on HttpOnly. + .. setting:: CSRF_COOKIE_NAME CSRF_COOKIE_NAME diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt index f86d8b8108..f53fa8ac4c 100644 --- a/docs/releases/1.6.txt +++ b/docs/releases/1.6.txt @@ -36,6 +36,9 @@ Minor features * Authentication backends can raise ``PermissionDenied`` to immediately fail the authentication chain. +* The HttpOnly flag can be set on the CSRF cookie with + :setting:`CSRF_COOKIE_HTTPONLY`. + * The ``assertQuerysetEqual()`` now checks for undefined order and raises ``ValueError`` if undefined order is spotted. The order is seen as undefined if the given ``QuerySet`` isn't ordered and there are more than |
