Ticket #17105: 17105.diff

File 17105.diff, 1.3 KB (added by timo, 3 years ago)
  • docs/ref/contrib/csrf.txt

    diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
    index e1a87d4..4c84727 100644
    a b all the views that need it, enable the middleware and use 
    347347CsrfViewMiddleware.process_view not used
    348348~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    349349
    350 There are cases when may not have run before your view is run - 404 and 500
    351 handlers, for example - but you still need the CSRF token in a form.
     350There are cases when ``CsrfViewMiddleware.process_view``` may not have run
     351before your view is run - 404 and 500 handlers, for example - but you still
     352need the CSRF token in a form.
    352353
    353354Solution: use :func:`~django.views.decorators.csrf.requires_csrf_token`
    354355
    The domain to be used when setting the CSRF cookie. This can be useful for 
    420421easily allowing cross-subdomain requests to be excluded from the normal cross
    421422site request forgery protection.  It should be set to a string such as
    422423``".lawrence.com"`` to allow a POST request from a form on one subdomain to be
    423 accepted by accepted by a view served from another subdomain.
     424accepted by a view served from another subdomain.
    424425
    425426Please note that, with or without use of this setting, this CSRF protection
    426427mechanism is not safe against cross-subdomain attacks -- see `Limitations`_.
Back to Top