Carl Meyer
0e03a504bf
Refs #15855 -- Recommended the csrf_protect decorator rather than vary_on_cookie as workaround for cache_page caching the response before it gets to middleware.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16361 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-10 16:18:40 +00:00
Luke Plant
528157ce73
Fixed #14201 - Add a "security overview" page to the docs
...
Thanks to davidfischer for the initial patch!
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16360 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-10 15:14:36 +00:00
Ramiro Morales
50ad59527c
Tweaked some render_to_response
links in the documentation.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16255 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-21 18:36:01 +00:00
Simon Meers
5ecb88c146
Fixed #16014 -- numerous documentation typos -- thanks psmith.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16220 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-13 04:33:42 +00:00
Luke Plant
396bc58889
Updated AJAX example code in CSRF docs to be consistent regarding what are safe HTTP methods
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16202 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:46:02 +00:00
Luke Plant
cb060f0f34
Fixed #15258 - Ajax CSRF protection doesn't apply to PUT or DELETE requests
...
Thanks to brodie for the report, and further input from tow21
This is a potentially backwards incompatible change - if you were doing
PUT/DELETE requests and relying on the lack of protection, you will need to
update your code, as noted in the releaste notes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16201 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:45:54 +00:00
Luke Plant
8cbcf1d3a6
Fixed #14134 - ability to set cookie 'path' and 'secure' attributes of CSRF cookie
...
Thanks to cfattarsi for the report and initial patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16200 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:00:22 +00:00
Luke Plant
a75120927e
Added 'settings' section to CSRF docs, eliminating the unneeded 'Subdomains' section
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16199 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:00:10 +00:00
Luke Plant
d3641d889b
Clarified wording about use of 2 decorators in CSRF docs
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16198 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:00:02 +00:00
Luke Plant
bf7af2be15
Added clarifying note to docs for CSRF_COOKIE_DOMAIN
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16197 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 22:59:52 +00:00
Luke Plant
b6c5f8060d
Fixed #15354 - provide method to ensure CSRF token is always available for AJAX requests
...
Thanks to sayane for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16192 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 21:35:24 +00:00
Luke Plant
e9342e9b32
Fixed #15469 - CSRF token is inserted on GET requests
...
Thanks to goran for report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16191 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 19:06:57 +00:00
Luke Plant
7c648ea4aa
Mentioned simplification of AJAX example code in CSRF docs.
...
Refs #15469 . Thanks to aaugustin for the suggestion
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16190 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 19:06:49 +00:00
Luke Plant
5df93d529d
Documented the edge case of needing a view that is partly CSRF protected
...
Refs #15518 .
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16189 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 18:27:52 +00:00
Luke Plant
b5da093fa9
In CSRF docs, moved 'Exceptions' section to 'Edge cases', and cleaned up some associated markup
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16188 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 18:27:45 +00:00
Luke Plant
eadcbcb131
Fixed #15518 - documented requires_csrf_token
...
Thanks to vzima for a report that raised the issue.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16187 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 18:27:36 +00:00
Luke Plant
1d350a6c51
Changed an example in CSRF docs to use new 'render' shortcut
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16186 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 18:27:28 +00:00
Luke Plant
ae1866ddef
Fixed #15869 - example AJAX code in CSRF docs fails sometimes for IE7 or absolute same origin URLs
...
Thanks to nick for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16183 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 15:40:01 +00:00
Luke Plant
96520e87bd
Corrected factual error regarding logging in the CSRF docs
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16047 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-20 11:39:10 +00:00
Luke Plant
8823021625
Removed deprecated CsrfResponseMiddleware, and corresponding tests and docs
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15949 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:34:26 +00:00
Luke Plant
37343bac8a
Removed example CSRF jQuery code from release notes, replacing with link to improved code in the CSRF docs
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15628 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-22 11:27:58 +00:00
Luke Plant
d068a04244
Fixed #15284 - improved example jQuery code for adding X-CSRF-Token
...
Using the ajaxSend event is better than beforeSend, because the beforeSend
callback can have only one value, which makes it painful if it is needed by
multiple bits of javascript.
Thanks to LukeMaurer for report and initial patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15515 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-12 23:37:35 +00:00
Alex Gaynor
208630aa4b
Fixed a security issue in the CSRF component. Disclosure and new release forthcoming.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:06:27 +00:00
Timo Graham
2ea93f9327
Fixed #14000 - remove versionadded/changed tags for Django 1.0 and 1.1
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15055 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-26 00:37:14 +00:00
Russell Keith-Magee
8ce4a1991a
Fixed #14116 -- Added a flag to enable CSRF checks in the test client. Thanks to jon@licq.org for the suggestion.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13640 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-27 13:54:13 +00:00
Jacob Kaplan-Moss
728effcfbd
Fixed #14141 : docs now use the :doc: construct for links between documents.
...
Thanks, Ramiro Morales.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13608 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-19 19:27:44 +00:00
Luke Plant
9f592ecced
Fixed #12964 - wrong path for CSRF decorators in upgrading notes.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12618 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-02-27 21:00:38 +00:00
Luke Plant
be57541af1
Fixed #12839 - noted change of import path for csrf_exempt decorator
...
Thanks rubic for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12407 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-02-10 23:51:09 +00:00
Luke Plant
48edb177ed
Fixed #12053 - form examples don't validate according to w3c
...
Thanks to skyl for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12086 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-04 21:55:52 +00:00
Luke Plant
20c7e646ff
Added notes to "Features deprecated in 1.2" about CSRF and SMTPConnection
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11788 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-12-03 14:48:47 +00:00
Russell Keith-Magee
cf169d9e12
Cleaned up the release notes index page, and added some stub 1.1.2 and 1.2 release notes.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11760 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-11-23 13:44:24 +00:00
Luke Plant
53b2c3867b
Fixed #12130 - documented need for csrf_protect on views that don't accept POST
...
Includes:
* proper documentation for csrf_protect
* notes in comments app.
* specific upgrade notes for comments app
Thanks to carljm for report and debugging.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11711 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-11-03 14:40:37 +00:00
Luke Plant
5a0aab41ee
Allow CsrfResponseMiddleware to be used if templates cannot be updated.
...
For the case where someone is using contrib views with custom templates that
they cannot update to use the template tag, it should be possible to use
CsrfResponseMiddleware. This requires that 'csrf_response_exempt' is not
used for the admin views.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11683 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-30 00:17:29 +00:00
Luke Plant
e6f0c10e77
Fixed typo in docs
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11677 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 22:26:54 +00:00
Luke Plant
9dc9770736
Documented the presence of {% csrf_token %} in Django 1.1.2 in trunk docs.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11675 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 21:52:25 +00:00
Luke Plant
b32a187296
Fixed some typos
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11668 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 13:13:40 +00:00
Luke Plant
f00ad4168e
Added explicit notes about the need to update any customised templates for contrib apps for CSRF changes
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11667 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 12:11:56 +00:00
Luke Plant
64b4ab18b4
Use decorator syntax for csrf_exempt example.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11663 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:43:16 +00:00
Luke Plant
7230a995ce
Moved contrib.csrf.* to core code.
...
There is stub code for backwards compatiblity with Django 1.1 imports.
The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00
Luke Plant
8e70cef9b6
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
...
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
Luke Plant
a02a6fab66
Fixed #9163 - CsrfMiddleware needs to reset ETag header
...
Thanks to carljm for report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11650 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 10:45:58 +00:00
Luke Plant
20f7e51493
Reverted 10094 and 10095 (in favour of solution that will hopefully land for beta 2)
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10128 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-23 23:02:46 +00:00
Luke Plant
2d28724730
Added CSRF middleware to default settings and updated docs.
...
Updated docs to reflect the change, and the fact that using the
two separate middleware is preferred to using the combined one.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10094 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-19 23:14:20 +00:00
Luke Plant
9a2e338107
Made CSRF middleware skip post-processing for 'csrf_exempt' decorated views.
...
This commit also decomposes the decorator into two decorators which can be
used separately, adds some tests, updates docs and fixes some code comments.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9815 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-02-07 17:47:02 +00:00
Adrian Holovaty
e9b90d9899
Edited ref/contrib/csrf.txt changes from [9554]
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9593 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-08 04:15:19 +00:00
Luke Plant
9ec9936413
Updated csrf docs with 'versionadded' info
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9555 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-03 00:44:12 +00:00
Luke Plant
9eedc7bd0b
New CsrfMiddleware features: automatic exceptions for known AJAX and decorator for manual exceptions
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9554 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-03 00:34:18 +00:00
Jacob Kaplan-Moss
97cb07c3a1
Massive reorganization of the docs. See the new docs online at http://docs.djangoproject.com/ .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8506 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-23 22:25:40 +00:00