Skip to content

D
django
Kaydet (Commit) 76b33670 authored tarafından Mayank Singhal's avatar Mayank Singhal Kaydeden (comit) Tim Graham
Dosyalara gözat
Seçenekler

Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs.

üst f1d16344
Hide whitespace changes
Inline Side-by-side
Showing with 16 additions and 9 deletions
docs/ref/csrf.txt
Dosyayı görüntüle @ 76b33670
...@@ -66,10 +66,13 @@ often easier because many JavaScript frameworks provide hooks that allow ...@@ -66,10 +66,13 @@ often easier because many JavaScript frameworks provide hooks that allow
headers to be set on every request. headers to be set on every request.
First, you must get the CSRF token. How to do that depends on whether or not First, you must get the CSRF token. How to do that depends on whether or not
the :setting:`CSRF_USE_SESSIONS` setting is enabled. the :setting:`CSRF_USE_SESSIONS` and :setting:`CSRF_COOKIE_HTTPONLY` settings
are enabled.
Acquiring the token if :setting:`CSRF_USE_SESSIONS` is ``False`` .. _acquiring-csrf-token-from-cookie:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Acquiring the token if :setting:`CSRF_USE_SESSIONS` and :setting:`CSRF_COOKIE_HTTPONLY` are ``False``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The recommended source for the token is the ``csrftoken`` cookie, which will be The recommended source for the token is the ``csrftoken`` cookie, which will be
set if you've enabled CSRF protection for your views as outlined above. set if you've enabled CSRF protection for your views as outlined above.
...@@ -122,11 +125,14 @@ The above code could be simplified by using the `JavaScript Cookie library ...@@ -122,11 +125,14 @@ The above code could be simplified by using the `JavaScript Cookie library
Django provides a view decorator which forces setting of the cookie: Django provides a view decorator which forces setting of the cookie:
:func:`~django.views.decorators.csrf.ensure_csrf_cookie`. :func:`~django.views.decorators.csrf.ensure_csrf_cookie`.
Acquiring the token if :setting:`CSRF_USE_SESSIONS` is ``True`` .. _acquiring-csrf-token-from-html:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Acquiring the token if :setting:`CSRF_USE_SESSIONS` or :setting:`CSRF_COOKIE_HTTPONLY` is ``True``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you activate :setting:`CSRF_USE_SESSIONS`, you must include the CSRF token If you activate :setting:`CSRF_USE_SESSIONS` or
in your HTML and read the token from the DOM with JavaScript: :setting:`CSRF_COOKIE_HTTPONLY`, you must include the CSRF token in your HTML
and read the token from the DOM with JavaScript:
.. code-block:: html+django .. code-block:: html+django
......
docs/ref/settings.txt
Dosyayı görüntüle @ 76b33670
...@@ -335,8 +335,9 @@ Although the setting offers little practical benefit, it's sometimes required ...@@ -335,8 +335,9 @@ Although the setting offers little practical benefit, it's sometimes required
by security auditors. by security auditors.
If you enable this and need to send the value of the CSRF token with an AJAX If you enable this and need to send the value of the CSRF token with an AJAX
request, your JavaScript must pull the value from a hidden CSRF token form request, your JavaScript must pull the value :ref:`from a hidden CSRF token
input on the page instead of from the cookie. form input <acquiring-csrf-token-from-html>` instead of :ref:`from the cookie
<acquiring-csrf-token-from-cookie>`.
See :setting:`SESSION_COOKIE_HTTPONLY` for details on ``HttpOnly``. See :setting:`SESSION_COOKIE_HTTPONLY` for details on ``HttpOnly``.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment