Document CSRF allow_no_origin option.

author: Theron Luhn <theron@luhn.com> 2019-09-19 20:30:08 -0700
committer: Theron Luhn <theron@luhn.com> 2019-09-19 20:30:08 -0700
commit: 9ffed1017d5e416813df73e4e76b6bfd1d2da2c8 (patch)
tree: e9aa922336ec802771399204ff5cf8a61bcf8427 /docs
parent: 6dd21309e4d9b21162b8db3e015533be10db0601 (diff)
download: pyramid-9ffed1017d5e416813df73e4e76b6bfd1d2da2c8.tar.gz
pyramid-9ffed1017d5e416813df73e4e76b6bfd1d2da2c8.tar.bz2
pyramid-9ffed1017d5e416813df73e4e76b6bfd1d2da2c8.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst
index 94469ba48..f6794dc2c 100644
--- a/docs/narr/security.rst
+++ b/docs/narr/security.rst
@@ -944,7 +944,9 @@ that it matches one of the trusted origins. By default the only trusted origin
 is the current host, however additional origins may be configured by setting
 ``pyramid.csrf_trusted_origins`` to a list of domain names (and ports if they
 are non-standard). If a host in the list of domains starts with a ``.`` then
-that will allow all subdomains as well as the domain without the ``.``.
+that will allow all subdomains as well as the domain without the ``.``.  If no
+``Referer`` or ``Origin`` header is present in an HTTPS request, the CSRF check
+will fail unless the ``allow_no_origin`` is set.
 
 If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` or
 :class:`pyramid.exceptions.BadCSRFOrigin` exception will be raised. This
author	Theron Luhn <theron@luhn.com>	2019-09-19 20:30:08 -0700
committer	Theron Luhn <theron@luhn.com>	2019-09-19 20:30:08 -0700
commit	9ffed1017d5e416813df73e4e76b6bfd1d2da2c8 (patch)
tree	e9aa922336ec802771399204ff5cf8a61bcf8427 /docs
parent	6dd21309e4d9b21162b8db3e015533be10db0601 (diff)
download	pyramid-9ffed1017d5e416813df73e4e76b6bfd1d2da2c8.tar.gz pyramid-9ffed1017d5e416813df73e4e76b6bfd1d2da2c8.tar.bz2 pyramid-9ffed1017d5e416813df73e4e76b6bfd1d2da2c8.zip