diff options
| author | Michael Merickel <michael@merickel.org> | 2019-09-30 21:27:20 -0500 |
|---|---|---|
| committer | Michael Merickel <michael@merickel.org> | 2019-10-17 22:49:49 -0500 |
| commit | 8b7b7cbf9058312f0bf6b044cfa388f807eff739 (patch) | |
| tree | 1b7de5c2b62928aea23372adb2b95b42aa5eab0c /CHANGES.rst | |
| parent | 2153b4b878d77aa0cb5b79805dd185d133c26451 (diff) | |
| download | pyramid-8b7b7cbf9058312f0bf6b044cfa388f807eff739.tar.gz pyramid-8b7b7cbf9058312f0bf6b044cfa388f807eff739.tar.bz2 pyramid-8b7b7cbf9058312f0bf6b044cfa388f807eff739.zip | |
support Origin: null in csrf_trusted_origins and check_origin=False
Diffstat (limited to 'CHANGES.rst')
| -rw-r--r-- | CHANGES.rst | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/CHANGES.rst b/CHANGES.rst index 0cf66d16f..987d5c3d4 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -43,8 +43,17 @@ Features ``pyramid.csrf.check_csrf_origin``. This option controls whether a request is rejected if it has no ``Origin`` or ``Referer`` header - often the result of a user configuring their browser not to send a - ``Referer`` header for privacy reasons. + ``Referer`` header for privacy reasons even on same-domain requests. + The default is to reject requests without a known origin. It is also + possible to allow the special ``Origin: null`` header by adding it to the + ``pyramid.csrf_trusted_origins`` list in the settings. See https://github.com/Pylons/pyramid/pull/3512 + and https://github.com/Pylons/pyramid/pull/3518 + +- A new parameter, ``check_origin``, was added to + ``pyramid.config.Configurator.set_default_csrf_options`` which disables + origin checking entirely. + See https://github.com/Pylons/pyramid/pull/3518 - Added ``pyramid.interfaces.IPredicateInfo`` which defines the object passed to predicate factories as their second argument. |