Only Accept CSRF Tokens in headers or POST bodies

Previously `check_csrf_token` would allow passing in a CSRF token in through a the URL of a request. However this is a security issue because a CSRF token must not be allowed to leak, and URLs regularly get copy/pasted or otherwise end up leaking to the outside world.
author: Donald Stufft <donald@stufft.io> 2016-04-15 17:41:35 -0400
committer: Donald Stufft <donald@stufft.io> 2016-04-15 18:31:23 -0400
commit: f12005b92fa9bb33f082bd50747eb11791605cff (patch)
tree: ba171caede0f861a5ded96309615b10351a7484b /docs/narr/viewconfig.rst
parent: bf33b200bbb72114ca55150724b0a4c51d7ef535 (diff)
download: pyramid-f12005b92fa9bb33f082bd50747eb11791605cff.tar.gz
pyramid-f12005b92fa9bb33f082bd50747eb11791605cff.tar.bz2
pyramid-f12005b92fa9bb33f082bd50747eb11791605cff.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst
index e645185f5..40db5fbeb 100644
--- a/docs/narr/viewconfig.rst
+++ b/docs/narr/viewconfig.rst
@@ -459,7 +459,7 @@ configured view.
   check name.
 
   If CSRF checking is performed, the checked value will be the value of
-  ``request.params[check_name]``.  This value will be compared against the
+  ``request.POST[check_name]``.  This value will be compared against the
   value of ``request.session.get_csrf_token()``, and the check will pass if
   these two values are the same.  If the check passes, the associated view will
   be permitted to execute.  If the check fails, the associated view will not be
author	Donald Stufft <donald@stufft.io>	2016-04-15 17:41:35 -0400
committer	Donald Stufft <donald@stufft.io>	2016-04-15 18:31:23 -0400
commit	f12005b92fa9bb33f082bd50747eb11791605cff (patch)
tree	ba171caede0f861a5ded96309615b10351a7484b /docs/narr/viewconfig.rst
parent	bf33b200bbb72114ca55150724b0a4c51d7ef535 (diff)
download	pyramid-f12005b92fa9bb33f082bd50747eb11791605cff.tar.gz pyramid-f12005b92fa9bb33f082bd50747eb11791605cff.tar.bz2 pyramid-f12005b92fa9bb33f082bd50747eb11791605cff.zip