| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2020-10-07 | Fixed #32065 -- Restored leading dot to CSRF_COOKIE_DOMAIN examples. | Carlton Gibson | |
| Partially reverts afd375fc343baa46e61036087bc43b3d096bb0ca. Thanks to Tim Graham for review. | |||
| 2020-06-24 | Refs #31493 -- Replaced var with const/let in documentation JS. | Adam Johnson | |
| 2020-04-01 | Prevented (and corrected) single backtick usage in docs. | Adam Johnson | |
| 2020-02-25 | Fixed #31291 -- Renamed salt to mask for CSRF tokens. | Ram Rachum | |
| 2019-12-12 | Rewrote CSRF JavaScript example without jQuery. | Jon Dufresne | |
| 2019-12-11 | Fixed #31080 -- Removed redundant type="text/javascript" attribute from ↵ | Jon Dufresne | |
| <script> tags. | |||
| 2019-11-27 | Fixed #31029 -- Used more specific links to RFCs. | Baptiste Mispelon | |
| 2019-09-06 | Fixed #30573 -- Rephrased documentation to avoid words that minimise the ↵ | Tobias Kunze | |
| involved difficulty. This patch does not remove all occurrences of the words in question. Rather, I went through all of the occurrences of the words listed below, and judged if they a) suggested the reader had some kind of knowledge/experience, and b) if they added anything of value (including tone of voice, etc). I left most of the words alone. I looked at the following words: - simply/simple - easy/easier/easiest - obvious - just - merely - straightforward - ridiculous Thanks to Carlton Gibson for guidance on how to approach this issue, and to Tim Bell for providing the idea. But the enormous lion's share of thanks go to Adam Johnson for his patient and helpful review. | |||
| 2019-03-28 | Fixed #30299 -- Removed jQuery dependency from getCookie() in CSRF docs. | Tim Graham | |
| 2018-11-15 | Used auto-numbered lists in documentation. | François Freitag | |
| 2018-10-25 | Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs. | Mayank Singhal | |
| 2018-10-18 | Fixed #29858 -- Clarified docs regarding CSRF token header name. | Tim Graham | |
| 2018-07-18 | Removed duplicate words in docs. | Maxime Lorant | |
| . | |||
| 2018-05-12 | Alphabetized imports in various docs. | Mariusz Felisiak | |
| Follow-up of d97cce34096043b019e818a7fb98c0f9f073704c and 7d3fe36c626a3268413eb86d37920f132eb4a54f. | |||
| 2018-05-02 | Fixed #29375 -- Removed empty action attribute on HTML forms. | CHI Cheng | |
| 2018-04-13 | Fixed #27863 -- Added support for the SameSite cookie flag. | Alex Gaynor | |
| Thanks Alex Gaynor for contributing to the patch. | |||
| 2017-09-22 | Removed versionadded/changed annotations for 1.11. | Tim Graham | |
| 2017-06-22 | Refs #16870 -- Doc'd that CSRF protection requires the Referer header. | Flávio Juvenal | |
| 2017-05-22 | Updated various links in docs to avoid redirects | Claude Paroz | |
| Thanks Tim Graham and Mariusz Felisiak for review and completion. | |||
| 2017-01-20 | Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting. | Alasdair Nicol | |
| 2017-01-17 | Removed versionadded/changed annotations for 1.10. | Tim Graham | |
| 2016-11-30 | Refs #16859 -- Allowed storing CSRF tokens in sessions. | Raphael Michel | |
| Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review. | |||
| 2016-06-28 | Used strict comparison in docs/ref/csrf.txt's JavaScript. | Camilo Nova | |
| 2016-06-04 | Fixed #26628 -- Changed CSRF logger to django.security.csrf. | Holly Becker | |
| 2016-06-03 | Fixed #26596 -- Added Jinja2 {{ csrf_input }} documentation. | B. J. Potter | |
| 2016-06-03 | Added syntax highlighting to CSRF example. | B. J. Potter | |
| 2016-06-02 | Refs #26628 -- Documented CSRF failure logging. | Holly Becker | |
| 2016-05-20 | Removed versionadded/changed annotations for 1.9. | Tim Graham | |
| 2016-05-19 | Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them | Shai Berger | |
| Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews. | |||
| 2016-05-17 | Fixed #26601 -- Improved middleware per DEP 0005. | Florian Apolloner | |
| Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP. | |||
| 2016-05-03 | Fixed #26567 -- Updated references to obsolete RFC2616. | Vasiliy Faronov | |
| Didn't touch comments where it wasn't obvious that the code adhered to the newer standard. | |||
| 2016-04-05 | Fixed #26201 -- Documented the consequences of rotating the CSRF token on login. | Vaclav Ehrlich | |
| 2016-03-01 | Fixed #26165 -- Added some FAQs about CSRF protection. | acemaster | |
| Thanks Florian Apolloner and Shai Berger for review. | |||
| 2016-02-09 | Fixed #26181 -- Corrected AngularJS CSRF example. | userimack | |
| 2016-01-21 | Changed `action="."` to `action=""` in tests and docs. | Luke Plant | |
| `action="."` strips query parameters from the URL which is not usually what you want. Copy-paste coding of these examples could lead to difficult to track down bugs or even data loss if the query parameter was meant to alter the scope of a form's POST request. | |||
| 2016-01-15 | Added docs about configuring CSRF support in AngularJS. | Danilo Bargen | |
| 2015-12-23 | Fixed #25969 -- Replaced render_to_response() with render() in docs examples. | Tim Graham | |
| 2015-12-01 | Fixed #25778 -- Updated docs links to use https when available. | Jon Dufresne | |
| 2015-11-16 | Fixed #25755 -- Unified spelling of "website". | Agnieszka Lasyk | |
| 2015-09-16 | Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN. | Matt Robenolt | |
| Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews. | |||
| 2015-09-05 | Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS. | Joshua Kehn | |
| Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests. | |||
| 2015-08-19 | Recommended the JavaScript Cookie library instead of jQuery cookie. | Marc | |
| jQuery cookie is no longer maintained in favor of the JavaScript cookie library. This also removes the jQuery dependency. | |||
| 2015-05-01 | Updated capitalization in the word "JavaScript" for consistency | Dave Hodder | |
| 2015-03-05 | Fixed #21495 -- Added settings.CSRF_HEADER_NAME | Grzegorz Slusarek | |
| 2014-12-28 | Deprecated TEMPLATE_CONTEXT_PROCESSORS. | Aymeric Augustin | |
| 2014-12-28 | Moved context_processors from django.core to django.template. | Aymeric Augustin | |
| 2014-11-15 | Fixed #23825 -- Added links for decorating class-based views to the CSRF docs. | Fabio Natali | |
| 2014-11-03 | Moved CSRF docs out of contrib. | Thomas Chaumeny | |
