Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.

Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.

1 files changed, 18 insertions, 0 deletions

diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 217f54281d..ed5ac98947 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -428,6 +428,23 @@ any hyphens with underscores, and adding an ``'HTTP_'`` prefix to the name.
 For example, if your client sends a ``'X-XSRF-TOKEN'`` header, the setting
 should be ``'HTTP_X_XSRF_TOKEN'``.
 
+.. setting:: CSRF_TRUSTED_ORIGINS
+
+CSRF_TRUSTED_ORIGINS
+--------------------
+
+.. versionadded:: 1.9
+
+Default: ``[]`` (Empty list)
+
+A list of hosts which are trusted origins for unsafe requests (e.g. ``POST``).
+For a :meth:`secure <django.http.HttpRequest.is_secure>` unsafe
+request, Django's CSRF protection requires that the request have a ``Referer``
+header that matches the origin present in the ``Host`` header. This prevents,
+for example, a ``POST`` request from ``subdomain.example.com`` from succeeding
+against ``api.example.com``. If you need cross-origin unsafe requests over
+HTTPS, continuing the example, add ``"subdomain.example.com"`` to this list.
+
 .. setting:: DATABASES
 
 DATABASES
@@ -3374,6 +3391,7 @@ Security
   * :setting:`CSRF_COOKIE_SECURE`
   * :setting:`CSRF_FAILURE_VIEW`
   * :setting:`CSRF_HEADER_NAME`
+  * :setting:`CSRF_TRUSTED_ORIGINS`
 
 * :setting:`SECRET_KEY`
 * :setting:`X_FRAME_OPTIONS`