Changeset 8215 for django/branches/gis/docs/csrf.txt
- Timestamp:
- 08/05/08 12:15:33 (5 months ago)
- Files:
-
- django/branches/gis (modified) (1 prop)
- django/branches/gis/docs/csrf.txt (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
django/branches/gis
- Property svnmerge-integrated changed from /django/trunk:1-7978 to /django/trunk:1-8214
django/branches/gis/docs/csrf.txt
r7354 r8215 5 5 The CsrfMiddleware class provides easy-to-use protection against 6 6 `Cross Site Request Forgeries`_. This type of attack occurs when a malicious 7 web site creates a link or form button that is intended to perform some action8 on your web site, using the credentials of a logged-in user who is tricked7 Web site creates a link or form button that is intended to perform some action 8 on your Web site, using the credentials of a logged-in user who is tricked 9 9 into clicking on the link in their browser. 10 10 … … 39 39 isn't, the user will get a 403 error. 40 40 41 This ensures that only forms that have originated from your web site41 This ensures that only forms that have originated from your Web site 42 42 can be used to POST data back. 43 43 … … 48 48 49 49 POST requests that are not accompanied by a session cookie are not protected, 50 but they do not need to be protected, since the 'attacking' web site50 but they do not need to be protected, since the 'attacking' Web site 51 51 could make these kind of requests anyway. 52 52 … … 65 65 66 66 If your app creates HTML pages and forms in some unusual way, (e.g. 67 it sends fragments of HTML in javascript document.write statements)67 it sends fragments of HTML in JavaScript document.write statements) 68 68 you might bypass the filter that adds the hidden field to the form, 69 69 in which case form submission will always fail. It may still be possible
