diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/contrib/csrf.txt | 2 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 8 |
2 files changed, 8 insertions, 2 deletions
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 7ff7d53aa0..c3c01c0b06 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -280,6 +280,8 @@ CSRF checks:: >>> from django.test import Client >>> csrf_client = Client(enforce_csrf_checks=True) +.. _csrf-limitations: + Limitations =========== diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 3a28745598..f8a5e0f640 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -319,11 +319,15 @@ CSRF_COOKIE_DOMAIN Default: ``None`` The domain to be used when setting the CSRF cookie. This can be useful for -allowing cross-subdomain requests to be exluded from the normal cross site -request forgery protection. It should be set to a string such as +easily allowing cross-subdomain requests to be exluded from the normal cross +site request forgery protection. It should be set to a string such as ``".lawrence.com"`` to allow a POST request from a form on one subdomain to be accepted by accepted by a view served from another subdomain. +Please note that the presence of this setting does not imply that Django's CSRF +protection is safe from cross-subdomain attacks by default - please see the +:ref:`CSRF limitations <csrf-limitations>` section. + .. setting:: CSRF_COOKIE_NAME CSRF_COOKIE_NAME |
