summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJoshua Kehn <josh@kehn.us>2015-08-31 22:32:03 -0400
committerTim Graham <timograham@gmail.com>2015-09-05 09:19:57 -0400
commitab26b65b2f178597be845e203eb698e193e3502e (patch)
tree0373fa71f7f14e4bd4b24efe36554741144209ba /docs
parent48c420d99209b147b58d7b873d1b54f76249c8dc (diff)
Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/csrf.txt4
-rw-r--r--docs/ref/settings.txt18
-rw-r--r--docs/releases/1.9.txt3
-rw-r--r--docs/spelling_wordlist1
4 files changed, 25 insertions, 1 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt
index 590990571f..ba24339a78 100644
--- a/docs/ref/csrf.txt
+++ b/docs/ref/csrf.txt
@@ -257,7 +257,8 @@ The CSRF protection is based on the following things:
due to the fact that HTTP 'Set-Cookie' headers are (unfortunately) accepted
by clients that are talking to a site under HTTPS. (Referer checking is not
done for HTTP requests because the presence of the Referer header is not
- reliable enough under HTTP.)
+ reliable enough under HTTP.) Expanding the accepted referers beyond the
+ current host can be done with the :setting:`CSRF_TRUSTED_ORIGINS` setting.
This ensures that only forms that have originated from your Web site can be used
to POST data back.
@@ -460,3 +461,4 @@ A number of settings can be used to control Django's CSRF behavior:
* :setting:`CSRF_COOKIE_SECURE`
* :setting:`CSRF_FAILURE_VIEW`
* :setting:`CSRF_HEADER_NAME`
+* :setting:`CSRF_TRUSTED_ORIGINS`
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 217f54281d..ed5ac98947 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -428,6 +428,23 @@ any hyphens with underscores, and adding an ``'HTTP_'`` prefix to the name.
For example, if your client sends a ``'X-XSRF-TOKEN'`` header, the setting
should be ``'HTTP_X_XSRF_TOKEN'``.
+.. setting:: CSRF_TRUSTED_ORIGINS
+
+CSRF_TRUSTED_ORIGINS
+--------------------
+
+.. versionadded:: 1.9
+
+Default: ``[]`` (Empty list)
+
+A list of hosts which are trusted origins for unsafe requests (e.g. ``POST``).
+For a :meth:`secure <django.http.HttpRequest.is_secure>` unsafe
+request, Django's CSRF protection requires that the request have a ``Referer``
+header that matches the origin present in the ``Host`` header. This prevents,
+for example, a ``POST`` request from ``subdomain.example.com`` from succeeding
+against ``api.example.com``. If you need cross-origin unsafe requests over
+HTTPS, continuing the example, add ``"subdomain.example.com"`` to this list.
+
.. setting:: DATABASES
DATABASES
@@ -3374,6 +3391,7 @@ Security
* :setting:`CSRF_COOKIE_SECURE`
* :setting:`CSRF_FAILURE_VIEW`
* :setting:`CSRF_HEADER_NAME`
+ * :setting:`CSRF_TRUSTED_ORIGINS`
* :setting:`SECRET_KEY`
* :setting:`X_FRAME_OPTIONS`
diff --git a/docs/releases/1.9.txt b/docs/releases/1.9.txt
index 5c0e3b613c..cf7909057b 100644
--- a/docs/releases/1.9.txt
+++ b/docs/releases/1.9.txt
@@ -484,6 +484,9 @@ CSRF
* The request header's name used for CSRF authentication can be customized
with :setting:`CSRF_HEADER_NAME`.
+* The new :setting:`CSRF_TRUSTED_ORIGINS` setting provides a way to allow
+ cross-origin unsafe requests (e.g. ``POST``) over HTTPS.
+
Signals
^^^^^^^
diff --git a/docs/spelling_wordlist b/docs/spelling_wordlist
index 691ab2f4ef..1edaa68d49 100644
--- a/docs/spelling_wordlist
+++ b/docs/spelling_wordlist
@@ -644,6 +644,7 @@ refactoring
refactorings
refactors
referer
+referers
reflow
regex
regexes