Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.

docs/ref/checks.txt

@@ -123,6 +123,9 @@ upgrading Django.
 * **2_0.W001**: Your URL pattern ``<pattern>`` has a ``route`` that contains
   ``(?P<``, begins with a ``^``, or ends with a ``$``. This was likely an
   oversight when migrating from ``url()`` to :func:`~django.urls.path`.
+* **4_0.E001**: As of Django 4.0, the values in the
+  :setting:`CSRF_TRUSTED_ORIGINS` setting must start with a scheme (usually
+  ``http://`` or ``https://``) but found ``<hostname>``.
 
 Caches
 ------

docs/ref/settings.txt

@@ -457,15 +457,24 @@ should be ``'HTTP_X_XSRF_TOKEN'``.
 
 Default: ``[]`` (Empty list)
 
-A list of hosts which are trusted origins for unsafe requests (e.g. ``POST``).
+A list of trusted origins for unsafe requests (e.g. ``POST``).
+
 For a :meth:`secure <django.http.HttpRequest.is_secure>` unsafe
 request, Django's CSRF protection requires that the request have a ``Referer``
 header that matches the origin present in the ``Host`` header. This prevents,
 for example, a ``POST`` request from ``subdomain.example.com`` from succeeding
 against ``api.example.com``. If you need cross-origin unsafe requests over
-HTTPS, continuing the example, add ``"subdomain.example.com"`` to this list.
-The setting also supports subdomains, so you could add ``".example.com"``, for
-example, to allow access from all subdomains of ``example.com``.
+HTTPS, continuing the example, add ``'https://subdomain.example.com'`` to this
+list (and/or ``http://...`` if requests originate from an insecure page).
+
+The setting also supports subdomains, so you could add
+``'https://*.example.com'``, for example, to allow access from all subdomains
+of ``example.com``.
+
+.. versionchanged:: 4.0
+
+    The values in older versions must only include the hostname (possibly with
+    a leading dot) and not the scheme or an asterisk.
 
 .. setting:: DATABASES