diff options
| author | Joshua Kehn <josh@kehn.us> | 2015-08-31 22:32:03 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-09-05 09:19:57 -0400 |
| commit | ab26b65b2f178597be845e203eb698e193e3502e (patch) | |
| tree | 0373fa71f7f14e4bd4b24efe36554741144209ba /docs | |
| parent | 48c420d99209b147b58d7b873d1b54f76249c8dc (diff) | |
Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/csrf.txt | 4 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 18 | ||||
| -rw-r--r-- | docs/releases/1.9.txt | 3 | ||||
| -rw-r--r-- | docs/spelling_wordlist | 1 |
4 files changed, 25 insertions, 1 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index 590990571f..ba24339a78 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -257,7 +257,8 @@ The CSRF protection is based on the following things: due to the fact that HTTP 'Set-Cookie' headers are (unfortunately) accepted by clients that are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header is not - reliable enough under HTTP.) + reliable enough under HTTP.) Expanding the accepted referers beyond the + current host can be done with the :setting:`CSRF_TRUSTED_ORIGINS` setting. This ensures that only forms that have originated from your Web site can be used to POST data back. @@ -460,3 +461,4 @@ A number of settings can be used to control Django's CSRF behavior: * :setting:`CSRF_COOKIE_SECURE` * :setting:`CSRF_FAILURE_VIEW` * :setting:`CSRF_HEADER_NAME` +* :setting:`CSRF_TRUSTED_ORIGINS` diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 217f54281d..ed5ac98947 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -428,6 +428,23 @@ any hyphens with underscores, and adding an ``'HTTP_'`` prefix to the name. For example, if your client sends a ``'X-XSRF-TOKEN'`` header, the setting should be ``'HTTP_X_XSRF_TOKEN'``. +.. setting:: CSRF_TRUSTED_ORIGINS + +CSRF_TRUSTED_ORIGINS +-------------------- + +.. versionadded:: 1.9 + +Default: ``[]`` (Empty list) + +A list of hosts which are trusted origins for unsafe requests (e.g. ``POST``). +For a :meth:`secure <django.http.HttpRequest.is_secure>` unsafe +request, Django's CSRF protection requires that the request have a ``Referer`` +header that matches the origin present in the ``Host`` header. This prevents, +for example, a ``POST`` request from ``subdomain.example.com`` from succeeding +against ``api.example.com``. If you need cross-origin unsafe requests over +HTTPS, continuing the example, add ``"subdomain.example.com"`` to this list. + .. setting:: DATABASES DATABASES @@ -3374,6 +3391,7 @@ Security * :setting:`CSRF_COOKIE_SECURE` * :setting:`CSRF_FAILURE_VIEW` * :setting:`CSRF_HEADER_NAME` + * :setting:`CSRF_TRUSTED_ORIGINS` * :setting:`SECRET_KEY` * :setting:`X_FRAME_OPTIONS` diff --git a/docs/releases/1.9.txt b/docs/releases/1.9.txt index 5c0e3b613c..cf7909057b 100644 --- a/docs/releases/1.9.txt +++ b/docs/releases/1.9.txt @@ -484,6 +484,9 @@ CSRF * The request header's name used for CSRF authentication can be customized with :setting:`CSRF_HEADER_NAME`. +* The new :setting:`CSRF_TRUSTED_ORIGINS` setting provides a way to allow + cross-origin unsafe requests (e.g. ``POST``) over HTTPS. + Signals ^^^^^^^ diff --git a/docs/spelling_wordlist b/docs/spelling_wordlist index 691ab2f4ef..1edaa68d49 100644 --- a/docs/spelling_wordlist +++ b/docs/spelling_wordlist @@ -644,6 +644,7 @@ refactoring refactorings refactors referer +referers reflow regex regexes |
