Fixed #16010 -- Added Origin header checking to CSRF middleware.

Thanks David Benjamin for the original patch, and Florian Apolloner, Chris Jerdonek, and Adam Johnson for reviews.
2025-10-31 09:41:08 +00:00 · 2021-01-02 18:46:17 -05:00
parent dba44a7a7a
commit 2411b8b5eb
5 changed files with 238 additions and 13 deletions
--- a/docs/releases/4.0.txt
+++ b/docs/releases/4.0.txt
@@ -149,7 +149,9 @@ Cache
 CSRF
 ~~~~

-* ...
+* CSRF protection now consults the ``Origin`` header, if present. To facilitate
+  this, :ref:`some changes <csrf-trusted-origins-changes-4.0>` to the
+  :setting:`CSRF_TRUSTED_ORIGINS` setting are required.

 Decorators
 ~~~~~~~~~~
@@ -323,6 +325,15 @@ the dot. For example, change ``'.example.com'`` to ``'https://*.example.com'``.

 A system check detects any required changes.

+Configuring it may now be required
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As CSRF protection now consults the ``Origin`` header, you may need to set
+:setting:`CSRF_TRUSTED_ORIGINS`, particularly if you allow requests from
+subdomains by setting :setting:`CSRF_COOKIE_DOMAIN` (or
+:setting:`SESSION_COOKIE_DOMAIN` if :setting:`CSRF_USE_SESSIONS` is enabled) to
+a value starting with a dot.
+
 Miscellaneous
 -------------