diff --git a/django/views/csrf.py b/django/views/csrf.py index 6119f3b49d..0689df84e4 100644 --- a/django/views/csrf.py +++ b/django/views/csrf.py @@ -41,6 +41,7 @@ CSRF_FAILURE_TEMPLATE = """ {% if no_referer %}
{{ no_referer1 }}
{{ no_referer2 }}
+{{ no_referer3 }}
{% endif %} {% if no_cookie %}{{ no_cookie1 }}
@@ -119,6 +120,13 @@ def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME): "If you have configured your browser to disable 'Referer' headers, " "please re-enable them, at least for this site, or for HTTPS " "connections, or for 'same-origin' requests."), + 'no_referer3': _( + "If you are using the tag or including the 'Referrer-Policy: " + "no-referrer' header, please remove them. The CSRF protection " + "requires the 'Referer' header to do strict referer checking. If " + "you're concerned about privacy, use alternatives like " + " for links to third-party sites."), 'no_cookie': reason == REASON_NO_CSRF_COOKIE, 'no_cookie1': _( "You are seeing this message because this site requires a CSRF " diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index 802d7251ab..dd5ea479ae 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -315,7 +315,19 @@ the HOST header