From bf7af2be15a0844f5c1ae9a47cb75fc255e0eaf6 Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Mon, 9 May 2011 22:59:52 +0000 Subject: [PATCH] Added clarifying note to docs for CSRF_COOKIE_DOMAIN git-svn-id: http://code.djangoproject.com/svn/django/trunk@16197 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/ref/contrib/csrf.txt | 2 ++ docs/ref/settings.txt | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 7ff7d53aa0..c3c01c0b06 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -280,6 +280,8 @@ CSRF checks:: >>> from django.test import Client >>> csrf_client = Client(enforce_csrf_checks=True) +.. _csrf-limitations: + Limitations =========== diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 3a28745598..f8a5e0f640 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -319,11 +319,15 @@ CSRF_COOKIE_DOMAIN Default: ``None`` The domain to be used when setting the CSRF cookie. This can be useful for -allowing cross-subdomain requests to be exluded from the normal cross site -request forgery protection. It should be set to a string such as +easily allowing cross-subdomain requests to be exluded from the normal cross +site request forgery protection. It should be set to a string such as ``".lawrence.com"`` to allow a POST request from a form on one subdomain to be accepted by accepted by a view served from another subdomain. +Please note that the presence of this setting does not imply that Django's CSRF +protection is safe from cross-subdomain attacks by default - please see the +:ref:`CSRF limitations ` section. + .. setting:: CSRF_COOKIE_NAME CSRF_COOKIE_NAME