diff options
| author | Tim Graham <timograham@gmail.com> | 2021-01-12 19:55:02 -0500 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-03-18 20:00:22 +0100 |
| commit | dba44a7a7a3581ec722e06fa0f9f33dfc00ed5cd (patch) | |
| tree | a999c49d722b06cc70740b55be21c8f73ae343eb /docs | |
| parent | 9bf5e9418f425666726559c9f1981a516da30aab (diff) | |
Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/checks.txt | 3 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 17 | ||||
| -rw-r--r-- | docs/releases/4.0.txt | 16 |
3 files changed, 32 insertions, 4 deletions
diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt index 6e787ef1a4..0dbd15b5c9 100644 --- a/docs/ref/checks.txt +++ b/docs/ref/checks.txt @@ -123,6 +123,9 @@ upgrading Django. * **2_0.W001**: Your URL pattern ``<pattern>`` has a ``route`` that contains ``(?P<``, begins with a ``^``, or ends with a ``$``. This was likely an oversight when migrating from ``url()`` to :func:`~django.urls.path`. +* **4_0.E001**: As of Django 4.0, the values in the + :setting:`CSRF_TRUSTED_ORIGINS` setting must start with a scheme (usually + ``http://`` or ``https://``) but found ``<hostname>``. Caches ------ diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 18eb941ce8..704bee63a4 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -457,15 +457,24 @@ should be ``'HTTP_X_XSRF_TOKEN'``. Default: ``[]`` (Empty list) -A list of hosts which are trusted origins for unsafe requests (e.g. ``POST``). +A list of trusted origins for unsafe requests (e.g. ``POST``). + For a :meth:`secure <django.http.HttpRequest.is_secure>` unsafe request, Django's CSRF protection requires that the request have a ``Referer`` header that matches the origin present in the ``Host`` header. This prevents, for example, a ``POST`` request from ``subdomain.example.com`` from succeeding against ``api.example.com``. If you need cross-origin unsafe requests over -HTTPS, continuing the example, add ``"subdomain.example.com"`` to this list. -The setting also supports subdomains, so you could add ``".example.com"``, for -example, to allow access from all subdomains of ``example.com``. +HTTPS, continuing the example, add ``'https://subdomain.example.com'`` to this +list (and/or ``http://...`` if requests originate from an insecure page). + +The setting also supports subdomains, so you could add +``'https://*.example.com'``, for example, to allow access from all subdomains +of ``example.com``. + +.. versionchanged:: 4.0 + + The values in older versions must only include the hostname (possibly with + a leading dot) and not the scheme or an asterisk. .. setting:: DATABASES diff --git a/docs/releases/4.0.txt b/docs/releases/4.0.txt index e15413b501..e4107fdad1 100644 --- a/docs/releases/4.0.txt +++ b/docs/releases/4.0.txt @@ -307,6 +307,22 @@ Upstream support for Oracle 12.2 ends in March 2022 and for Oracle 18c it ends in June 2021. Django 3.2 will be supported until April 2024. Django 4.0 officially supports Oracle 19c. +.. _csrf-trusted-origins-changes-4.0: + +``CSRF_TRUSTED_ORIGINS`` changes +-------------------------------- + +Format change +~~~~~~~~~~~~~ + +Values in the :setting:`CSRF_TRUSTED_ORIGINS` setting must include the scheme +(e.g. ``'http://'`` or ``'https://'``) instead of only the hostname. + +Also, values that started with a dot, must now also include an asterisk before +the dot. For example, change ``'.example.com'`` to ``'https://*.example.com'``. + +A system check detects any required changes. + Miscellaneous ------------- |
