diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2007-08-16 14:09:41 +0000 |
|---|---|---|
| committer | Luke Plant <L.Plant.98@cantab.net> | 2007-08-16 14:09:41 +0000 |
| commit | c568792e81c7a09e3160548e7b8dcb89e9a5fa99 (patch) | |
| tree | caff6de8f9fbc00f5ab767843b259eabfe2b8ad3 /docs | |
| parent | 296d8d4553c389fb32d1ee594fb835b123645794 (diff) | |
Added a reference for the claim in CSRF docs that GET requests
should be side-effect free.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5902 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/csrf.txt | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/docs/csrf.txt b/docs/csrf.txt index c12dd1d116..7d79e39502 100644 --- a/docs/csrf.txt +++ b/docs/csrf.txt @@ -41,10 +41,10 @@ CsrfMiddleware does two things: This ensures that only forms that have originated from your web site can be used to POST data back. -It deliberately only targets HTTP POST requests (and the corresponding -POST forms). GET requests ought never to have side effects (if you are -using HTTP GET and POST correctly), and so a CSRF attack with a GET -request will always be harmless. +It deliberately only targets HTTP POST requests (and the corresponding POST +forms). GET requests ought never to have any potentially dangerous side +effects (see `9.1.1 Safe Methods, HTTP 1.1, RFC 2616`_), and so a +CSRF attack with a GET request ought to be harmless. POST requests that are not accompanied by a session cookie are not protected, but they do not need to be protected, since the 'attacking' web site @@ -54,6 +54,8 @@ The Content-Type is checked before modifying the response, and only pages that are served as 'text/html' or 'application/xml+xhtml' are modified. +.. _9.1.1 Safe Methods, HTTP 1.1, RFC 2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html + Limitations =========== |
