mirror of
https://github.com/django/django.git
synced 2025-10-24 14:16:09 +00:00
Fixed #32065 -- Restored leading dot to CSRF_COOKIE_DOMAIN examples.
Partially reverts afd375fc34
.
Thanks to Tim Graham for review.
This commit is contained in:
committed by
Carlton Gibson
parent
dcb69043d0
commit
3d4ffd1ff0
@@ -276,10 +276,10 @@ The CSRF protection is based on the following things:
|
||||
enough under HTTP.)
|
||||
|
||||
If the :setting:`CSRF_COOKIE_DOMAIN` setting is set, the referer is compared
|
||||
against it. This setting supports subdomains. For example,
|
||||
``CSRF_COOKIE_DOMAIN = '.example.com'`` will allow POST requests from
|
||||
``www.example.com`` and ``api.example.com``. If the setting is not set, then
|
||||
the referer must match the HTTP ``Host`` header.
|
||||
against it. You can allow cross-subdomain requests by including a leading
|
||||
dot. For example, ``CSRF_COOKIE_DOMAIN = '.example.com'`` will allow POST
|
||||
requests from ``www.example.com`` and ``api.example.com``. If the setting is
|
||||
not set, then the referer must match the HTTP ``Host`` header.
|
||||
|
||||
Expanding the accepted referers beyond the current host or cookie domain can
|
||||
be done with the :setting:`CSRF_TRUSTED_ORIGINS` setting.
|
||||
|
@@ -318,7 +318,7 @@ Default: ``None``
|
||||
The domain to be used when setting the CSRF cookie. This can be useful for
|
||||
easily allowing cross-subdomain requests to be excluded from the normal cross
|
||||
site request forgery protection. It should be set to a string such as
|
||||
``"example.com"`` to allow a POST request from a form on one subdomain to be
|
||||
``".example.com"`` to allow a POST request from a form on one subdomain to be
|
||||
accepted by a view served from another subdomain.
|
||||
|
||||
Please note that the presence of this setting does not imply that Django's CSRF
|
||||
|
Reference in New Issue
Block a user