mirror of
				https://github.com/django/django.git
				synced 2025-10-24 22:26:08 +00:00 
			
		
		
		
	Added clarifying note to docs for CSRF_COOKIE_DOMAIN
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16197 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
		| @@ -280,6 +280,8 @@ CSRF checks:: | ||||
|     >>> from django.test import Client | ||||
|     >>> csrf_client = Client(enforce_csrf_checks=True) | ||||
|  | ||||
| .. _csrf-limitations: | ||||
|  | ||||
| Limitations | ||||
| =========== | ||||
|  | ||||
|   | ||||
| @@ -319,11 +319,15 @@ CSRF_COOKIE_DOMAIN | ||||
| Default: ``None`` | ||||
|  | ||||
| The domain to be used when setting the CSRF cookie.  This can be useful for | ||||
| allowing cross-subdomain requests to be exluded from the normal cross site | ||||
| request forgery protection.  It should be set to a string such as | ||||
| easily allowing cross-subdomain requests to be exluded from the normal cross | ||||
| site request forgery protection.  It should be set to a string such as | ||||
| ``".lawrence.com"`` to allow a POST request from a form on one subdomain to be | ||||
| accepted by accepted by a view served from another subdomain. | ||||
|  | ||||
| Please note that the presence of this setting does not imply that Django's CSRF | ||||
| protection is safe from cross-subdomain attacks by default - please see the | ||||
| :ref:`CSRF limitations <csrf-limitations>` section. | ||||
|  | ||||
| .. setting:: CSRF_COOKIE_NAME | ||||
|  | ||||
| CSRF_COOKIE_NAME | ||||
|   | ||||
		Reference in New Issue
	
	Block a user