From c568792e81c7a09e3160548e7b8dcb89e9a5fa99 Mon Sep 17 00:00:00 2001
From: Luke Plant <L.Plant.98@cantab.net>
Date: Thu, 16 Aug 2007 14:09:41 +0000
Subject: [PATCH] Added a reference for the claim in CSRF docs that GET
 requests should be side-effect free.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@5902 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 docs/csrf.txt | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/docs/csrf.txt b/docs/csrf.txt
index c12dd1d116..7d79e39502 100644
--- a/docs/csrf.txt
+++ b/docs/csrf.txt
@@ -41,10 +41,10 @@ CsrfMiddleware does two things:
 This ensures that only forms that have originated from your web site
 can be used to POST data back.
 
-It deliberately only targets HTTP POST requests (and the corresponding
-POST forms). GET requests ought never to have side effects (if you are
-using HTTP GET and POST correctly), and so a CSRF attack with a GET
-request will always be harmless.
+It deliberately only targets HTTP POST requests (and the corresponding POST
+forms). GET requests ought never to have any potentially dangerous side
+effects (see `9.1.1 Safe Methods, HTTP 1.1, RFC 2616`_), and so a
+CSRF attack with a GET request ought to be harmless.
 
 POST requests that are not accompanied by a session cookie are not protected,
 but they do not need to be protected, since the 'attacking' web site
@@ -54,6 +54,8 @@ The Content-Type is checked before modifying the response, and only
 pages that are served as 'text/html' or 'application/xml+xhtml'
 are modified.
 
+.. _9.1.1 Safe Methods, HTTP 1.1, RFC 2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
+
 Limitations
 ===========