diff options
| author | Michael Merickel <michael@merickel.org> | 2019-09-30 15:38:27 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-30 15:38:27 -0500 |
| commit | 502149ae3694bcb8eefb42974e84a5bf603aaebb (patch) | |
| tree | b786809fbd15e69b5ecfcc010f1e0ff83b764bc7 /docs | |
| parent | f63d45aa7561098f5588eb93b6c3cde126c5e711 (diff) | |
| parent | 070642056a2863c5da20cbc28626f4e8e1c49cdb (diff) | |
| download | pyramid-502149ae3694bcb8eefb42974e84a5bf603aaebb.tar.gz pyramid-502149ae3694bcb8eefb42974e84a5bf603aaebb.tar.bz2 pyramid-502149ae3694bcb8eefb42974e84a5bf603aaebb.zip | |
Merge pull request #3512 from luhn/csrf-allow-no-origin
Add allow_no_origin option to CSRF
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/narr/security.rst | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst index 94469ba48..2b0a2f032 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -944,7 +944,9 @@ that it matches one of the trusted origins. By default the only trusted origin is the current host, however additional origins may be configured by setting ``pyramid.csrf_trusted_origins`` to a list of domain names (and ports if they are non-standard). If a host in the list of domains starts with a ``.`` then -that will allow all subdomains as well as the domain without the ``.``. +that will allow all subdomains as well as the domain without the ``.``. If no +``Referer`` or ``Origin`` header is present in an HTTPS request, the CSRF check +will fail unless ``allow_no_origin`` is set. If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` or :class:`pyramid.exceptions.BadCSRFOrigin` exception will be raised. This |