mirror of
https://github.com/django/django.git
synced 2024-12-23 01:25:58 +00:00
Fixed #32065 -- Restored leading dot to CSRF_COOKIE_DOMAIN examples.
Partially reverts afd375fc34
.
Thanks to Tim Graham for review.
This commit is contained in:
parent
dcb69043d0
commit
3d4ffd1ff0
@ -276,10 +276,10 @@ The CSRF protection is based on the following things:
|
|||||||
enough under HTTP.)
|
enough under HTTP.)
|
||||||
|
|
||||||
If the :setting:`CSRF_COOKIE_DOMAIN` setting is set, the referer is compared
|
If the :setting:`CSRF_COOKIE_DOMAIN` setting is set, the referer is compared
|
||||||
against it. This setting supports subdomains. For example,
|
against it. You can allow cross-subdomain requests by including a leading
|
||||||
``CSRF_COOKIE_DOMAIN = '.example.com'`` will allow POST requests from
|
dot. For example, ``CSRF_COOKIE_DOMAIN = '.example.com'`` will allow POST
|
||||||
``www.example.com`` and ``api.example.com``. If the setting is not set, then
|
requests from ``www.example.com`` and ``api.example.com``. If the setting is
|
||||||
the referer must match the HTTP ``Host`` header.
|
not set, then the referer must match the HTTP ``Host`` header.
|
||||||
|
|
||||||
Expanding the accepted referers beyond the current host or cookie domain can
|
Expanding the accepted referers beyond the current host or cookie domain can
|
||||||
be done with the :setting:`CSRF_TRUSTED_ORIGINS` setting.
|
be done with the :setting:`CSRF_TRUSTED_ORIGINS` setting.
|
||||||
|
@ -318,7 +318,7 @@ Default: ``None``
|
|||||||
The domain to be used when setting the CSRF cookie. This can be useful for
|
The domain to be used when setting the CSRF cookie. This can be useful for
|
||||||
easily allowing cross-subdomain requests to be excluded from the normal cross
|
easily allowing cross-subdomain requests to be excluded from the normal cross
|
||||||
site request forgery protection. It should be set to a string such as
|
site request forgery protection. It should be set to a string such as
|
||||||
``"example.com"`` to allow a POST request from a form on one subdomain to be
|
``".example.com"`` to allow a POST request from a form on one subdomain to be
|
||||||
accepted by a view served from another subdomain.
|
accepted by a view served from another subdomain.
|
||||||
|
|
||||||
Please note that the presence of this setting does not imply that Django's CSRF
|
Please note that the presence of this setting does not imply that Django's CSRF
|
||||||
|
Loading…
Reference in New Issue
Block a user