Changeset 5902
- Timestamp:
- 08/16/07 09:09:41 (1 year ago)
- Files:
-
- django/trunk/docs/csrf.txt (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
django/trunk/docs/csrf.txt
r4224 r5902 42 42 can be used to POST data back. 43 43 44 It deliberately only targets HTTP POST requests (and the corresponding 45 POST forms). GET requests ought never to have side effects (if you are46 using HTTP GET and POST correctly), and so a CSRF attack with a GET 47 request will alwaysbe harmless.44 It deliberately only targets HTTP POST requests (and the corresponding POST 45 forms). GET requests ought never to have any potentially dangerous side 46 effects (see `9.1.1 Safe Methods, HTTP 1.1, RFC 2616`_), and so a 47 CSRF attack with a GET request ought to be harmless. 48 48 49 49 POST requests that are not accompanied by a session cookie are not protected, … … 54 54 pages that are served as 'text/html' or 'application/xml+xhtml' 55 55 are modified. 56 57 .. _9.1.1 Safe Methods, HTTP 1.1, RFC 2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html 56 58 57 59 Limitations
