1
0
mirror of https://github.com/django/django.git synced 2024-12-29 12:36:08 +00:00
Commit Graph

62 Commits

Author SHA1 Message Date
Tim Schilling
06bdf62b56 [5.0.x] Fixed #34990 -- Changed link to OWASP in CSRF docs.
The OWASP site is the standard resource for web application
security information.
Backport of aceee39d44 from main
2023-11-23 05:28:15 +01:00
Ben Lomax
74f7deec9e Refs #31949 -- Made make_middleware_decorator to work with async functions. 2023-09-13 11:41:01 +02:00
Ben Lomax
953f81e078 Refs #31949 -- Made @csrf_exempt decorator to work with async functions. 2023-07-10 07:55:02 +02:00
django-bot
14459f80ee Fixed #34140 -- Reformatted code blocks in docs with blacken-docs. 2023-03-01 13:03:56 +01:00
Mariusz Felisiak
490cccbe7e Removed versionadded/changed annotations for 4.1. 2023-01-17 11:49:15 +01:00
Mariusz Felisiak
514884e9a5
Updated various links to HTTPS and new locations. 2022-12-06 05:59:43 +01:00
Nick Pope
9bd174b9a7 Updated documentation and comments for RFC updates.
- Updated references to RFC 1123 to RFC 5322
  - Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
  - Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
2022-11-10 13:52:17 +01:00
Carlton Gibson
ca1c3151c3 Removed versionadded/changed annotations for 4.0. 2022-05-17 14:22:06 +02:00
tommcn
e458abc593 Refs #28592 -- Created a new CSRF how-to document. 2022-03-17 06:53:53 +01:00
Tomas McNamer
65ac1431d5
Refs #28592 -- Removed redundant spaces in docs/ref/csrf.txt. 2022-03-14 07:46:01 +01:00
Chris Jerdonek
5d80843ebc Fixed #32800 -- Changed CsrfViewMiddleware not to mask the CSRF secret.
This also adds CSRF_COOKIE_MASKED transitional setting helpful in
migrating multiple instance of the same project to Django 4.1+.

Thanks Florian Apolloner and Shai Berger for reviews.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-11-29 10:47:39 +01:00
Mariusz Felisiak
1d16dbc745 Fixed broken links and redirects in docs. 2021-09-21 09:27:44 +02:00
sdwoodbury
691b8dd8ed
Made CSRF JavaScript example more reusable. 2021-09-13 06:36:27 +02:00
Tim Graham
2411b8b5eb Fixed #16010 -- Added Origin header checking to CSRF middleware.
Thanks David Benjamin for the original patch, and Florian
Apolloner, Chris Jerdonek, and Adam Johnson for reviews.
2021-03-18 20:25:20 +01:00
Carlton Gibson
3d4ffd1ff0 Fixed #32065 -- Restored leading dot to CSRF_COOKIE_DOMAIN examples.
Partially reverts afd375fc34.

Thanks to Tim Graham for review.
2020-10-07 10:03:10 +02:00
Adam Johnson
2afa61e7d9 Refs #31493 -- Replaced var with const/let in documentation JS. 2020-06-24 12:20:57 +02:00
Adam Johnson
1cdfe8d912 Prevented (and corrected) single backtick usage in docs. 2020-04-01 14:55:11 +02:00
Ram Rachum
5b09354954
Fixed #31291 -- Renamed salt to mask for CSRF tokens. 2020-02-25 14:16:19 +01:00
Jon Dufresne
3fe5d0128b Rewrote CSRF JavaScript example without jQuery. 2019-12-12 16:34:03 +01:00
Jon Dufresne
e703b93a65 Fixed #31080 -- Removed redundant type="text/javascript" attribute from <script> tags. 2019-12-11 09:49:54 +01:00
Baptiste Mispelon
ff1b19da67 Fixed #31029 -- Used more specific links to RFCs. 2019-11-27 20:54:38 +01:00
Tobias Kunze
4a954cfd11 Fixed #30573 -- Rephrased documentation to avoid words that minimise the involved difficulty.
This patch does not remove all occurrences of the words in question.
Rather, I went through all of the occurrences of the words listed
below, and judged if they a) suggested the reader had some kind of
knowledge/experience, and b) if they added anything of value (including
tone of voice, etc). I left most of the words alone. I looked at the
following words:

- simply/simple
- easy/easier/easiest
- obvious
- just
- merely
- straightforward
- ridiculous

Thanks to Carlton Gibson for guidance on how to approach this issue, and
to Tim Bell for providing the idea. But the enormous lion's share of
thanks go to Adam Johnson for his patient and helpful review.
2019-09-06 13:27:46 +02:00
Tim Graham
8e675e2bd8 Fixed #30299 -- Removed jQuery dependency from getCookie() in CSRF docs. 2019-03-28 19:51:54 -04:00
François Freitag
9b15ff08ba Used auto-numbered lists in documentation. 2018-11-15 13:54:28 -05:00
Mayank Singhal
76b3367035 Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs. 2018-10-25 11:39:52 -04:00
Tim Graham
a29fce8984 Fixed #29858 -- Clarified docs regarding CSRF token header name. 2018-10-18 19:44:15 -04:00
Maxime Lorant
31407fa3b3 Removed duplicate words in docs.
.
2018-07-18 11:24:06 -04:00
Mariusz Felisiak
35319bf12c
Alphabetized imports in various docs.
Follow-up of d97cce3409 and 7d3fe36c62.
2018-05-12 19:37:42 +02:00
CHI Cheng
4660ce5a69 Fixed #29375 -- Removed empty action attribute on HTML forms. 2018-05-02 09:20:04 -04:00
Alex Gaynor
9a56b4b13e Fixed #27863 -- Added support for the SameSite cookie flag.
Thanks Alex Gaynor for contributing to the patch.
2018-04-13 20:58:31 -04:00
Tim Graham
5446b72003 Removed versionadded/changed annotations for 1.11. 2017-09-22 12:51:18 -04:00
Flávio Juvenal
0af14b2eaa Refs #16870 -- Doc'd that CSRF protection requires the Referer header. 2017-06-22 11:50:00 -04:00
Claude Paroz
01f658644a Updated various links in docs to avoid redirects
Thanks Tim Graham and Mariusz Felisiak for review and completion.
2017-05-22 19:28:44 +02:00
Alasdair Nicol
503e944ac7 Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting. 2017-01-20 18:56:48 -05:00
Tim Graham
e27e4c0339 Removed versionadded/changed annotations for 1.10. 2017-01-17 20:52:05 -05:00
Raphael Michel
ddf169cdac Refs #16859 -- Allowed storing CSRF tokens in sessions.
Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-30 08:57:27 -05:00
Camilo Nova
222e1334bf Used strict comparison in docs/ref/csrf.txt's JavaScript. 2016-06-28 12:51:51 -04:00
Holly Becker
55fec16aaf Fixed #26628 -- Changed CSRF logger to django.security.csrf. 2016-06-04 10:17:06 -04:00
B. J. Potter
9c53facc45 Fixed #26596 -- Added Jinja2 {{ csrf_input }} documentation. 2016-06-03 15:24:45 -04:00
B. J. Potter
261738990e Added syntax highlighting to CSRF example. 2016-06-03 15:18:58 -04:00
Holly Becker
ff9198ee0f Refs #26628 -- Documented CSRF failure logging. 2016-06-02 20:42:41 -04:00
Tim Graham
46a38307c2 Removed versionadded/changed annotations for 1.9. 2016-05-20 11:44:29 -04:00
Shai Berger
5112e65ef2 Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).

While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).

Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
Florian Apolloner
9baf692a58 Fixed #26601 -- Improved middleware per DEP 0005.
Thanks Tim Graham for polishing the patch, updating the tests, and
writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-05-17 07:22:22 -04:00
Vasiliy Faronov
ac77c55bc5 Fixed #26567 -- Updated references to obsolete RFC2616.
Didn't touch comments where it wasn't obvious that the code adhered to
the newer standard.
2016-05-03 11:14:40 -04:00
Vaclav Ehrlich
369fa471f4 Fixed #26201 -- Documented the consequences of rotating the CSRF token on login. 2016-04-05 11:02:38 -04:00
acemaster
a1b1688c7d Fixed #26165 -- Added some FAQs about CSRF protection.
Thanks Florian Apolloner and Shai Berger for review.
2016-03-01 08:45:05 -05:00
userimack
7a7b82e6f4 Fixed #26181 -- Corrected AngularJS CSRF example. 2016-02-09 09:22:23 -05:00
Luke Plant
77974a684a Changed action="." to action="" in tests and docs.
`action="."` strips query parameters from the URL which is not usually what
you want. Copy-paste coding of these examples could lead to difficult to
track down bugs or even data loss if the query parameter was meant to alter
the scope of a form's POST request.
2016-01-21 13:59:15 -05:00
Danilo Bargen
6a4f13de27 Added docs about configuring CSRF support in AngularJS. 2016-01-15 10:14:52 -05:00