| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2019-03-28 | [2.2.x] Fixed #30299 -- Removed jQuery dependency from getCookie() in CSRF docs. | Tim Graham | |
| Backport of 8e675e2bd8366adf5d0b579accfef75a7b1bc3bf from master | |||
| 2018-11-15 | Used auto-numbered lists in documentation. | François Freitag | |
| 2018-10-25 | Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs. | Mayank Singhal | |
| 2018-10-18 | Fixed #29858 -- Clarified docs regarding CSRF token header name. | Tim Graham | |
| 2018-07-18 | Removed duplicate words in docs. | Maxime Lorant | |
| . | |||
| 2018-05-12 | Alphabetized imports in various docs. | Mariusz Felisiak | |
| Follow-up of d97cce34096043b019e818a7fb98c0f9f073704c and 7d3fe36c626a3268413eb86d37920f132eb4a54f. | |||
| 2018-05-02 | Fixed #29375 -- Removed empty action attribute on HTML forms. | CHI Cheng | |
| 2018-04-13 | Fixed #27863 -- Added support for the SameSite cookie flag. | Alex Gaynor | |
| Thanks Alex Gaynor for contributing to the patch. | |||
| 2017-09-22 | Removed versionadded/changed annotations for 1.11. | Tim Graham | |
| 2017-06-22 | Refs #16870 -- Doc'd that CSRF protection requires the Referer header. | Flávio Juvenal | |
| 2017-05-22 | Updated various links in docs to avoid redirects | Claude Paroz | |
| Thanks Tim Graham and Mariusz Felisiak for review and completion. | |||
| 2017-01-20 | Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting. | Alasdair Nicol | |
| 2017-01-17 | Removed versionadded/changed annotations for 1.10. | Tim Graham | |
| 2016-11-30 | Refs #16859 -- Allowed storing CSRF tokens in sessions. | Raphael Michel | |
| Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review. | |||
| 2016-06-28 | Used strict comparison in docs/ref/csrf.txt's JavaScript. | Camilo Nova | |
| 2016-06-04 | Fixed #26628 -- Changed CSRF logger to django.security.csrf. | Holly Becker | |
| 2016-06-03 | Fixed #26596 -- Added Jinja2 {{ csrf_input }} documentation. | B. J. Potter | |
| 2016-06-03 | Added syntax highlighting to CSRF example. | B. J. Potter | |
| 2016-06-02 | Refs #26628 -- Documented CSRF failure logging. | Holly Becker | |
| 2016-05-20 | Removed versionadded/changed annotations for 1.9. | Tim Graham | |
| 2016-05-19 | Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them | Shai Berger | |
| Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews. | |||
| 2016-05-17 | Fixed #26601 -- Improved middleware per DEP 0005. | Florian Apolloner | |
| Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP. | |||
| 2016-05-03 | Fixed #26567 -- Updated references to obsolete RFC2616. | Vasiliy Faronov | |
| Didn't touch comments where it wasn't obvious that the code adhered to the newer standard. | |||
| 2016-04-05 | Fixed #26201 -- Documented the consequences of rotating the CSRF token on login. | Vaclav Ehrlich | |
| 2016-03-01 | Fixed #26165 -- Added some FAQs about CSRF protection. | acemaster | |
| Thanks Florian Apolloner and Shai Berger for review. | |||
| 2016-02-09 | Fixed #26181 -- Corrected AngularJS CSRF example. | userimack | |
| 2016-01-21 | Changed `action="."` to `action=""` in tests and docs. | Luke Plant | |
| `action="."` strips query parameters from the URL which is not usually what you want. Copy-paste coding of these examples could lead to difficult to track down bugs or even data loss if the query parameter was meant to alter the scope of a form's POST request. | |||
| 2016-01-15 | Added docs about configuring CSRF support in AngularJS. | Danilo Bargen | |
| 2015-12-23 | Fixed #25969 -- Replaced render_to_response() with render() in docs examples. | Tim Graham | |
| 2015-12-01 | Fixed #25778 -- Updated docs links to use https when available. | Jon Dufresne | |
| 2015-11-16 | Fixed #25755 -- Unified spelling of "website". | Agnieszka Lasyk | |
| 2015-09-16 | Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN. | Matt Robenolt | |
| Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews. | |||
| 2015-09-05 | Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS. | Joshua Kehn | |
| Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests. | |||
| 2015-08-19 | Recommended the JavaScript Cookie library instead of jQuery cookie. | Marc | |
| jQuery cookie is no longer maintained in favor of the JavaScript cookie library. This also removes the jQuery dependency. | |||
| 2015-05-01 | Updated capitalization in the word "JavaScript" for consistency | Dave Hodder | |
| 2015-03-05 | Fixed #21495 -- Added settings.CSRF_HEADER_NAME | Grzegorz Slusarek | |
| 2014-12-28 | Deprecated TEMPLATE_CONTEXT_PROCESSORS. | Aymeric Augustin | |
| 2014-12-28 | Moved context_processors from django.core to django.template. | Aymeric Augustin | |
| 2014-11-15 | Fixed #23825 -- Added links for decorating class-based views to the CSRF docs. | Fabio Natali | |
| 2014-11-03 | Moved CSRF docs out of contrib. | Thomas Chaumeny | |
