2 files changed, 9 insertions, 1 deletions

diff --git a/docs/narr/security.rst b/docs/narr/security.rst
index 94469ba48..f6794dc2c 100644
--- a/docs/narr/security.rst
+++ b/docs/narr/security.rst
@@ -944,7 +944,9 @@ that it matches one of the trusted origins. By default the only trusted origin
 is the current host, however additional origins may be configured by setting
 ``pyramid.csrf_trusted_origins`` to a list of domain names (and ports if they
 are non-standard). If a host in the list of domains starts with a ``.`` then
-that will allow all subdomains as well as the domain without the ``.``.
+that will allow all subdomains as well as the domain without the ``.``.  If no
+``Referer`` or ``Origin`` header is present in an HTTPS request, the CSRF check
+will fail unless the ``allow_no_origin`` is set.
 
 If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` or
 :class:`pyramid.exceptions.BadCSRFOrigin` exception will be raised. This
diff --git a/src/pyramid/config/security.py b/src/pyramid/config/security.py
index 0d2bc8e99..02271e2ba 100644
--- a/src/pyramid/config/security.py
+++ b/src/pyramid/config/security.py
@@ -222,6 +222,9 @@ class SecurityConfiguratorMixin(object):
         never be automatically checked for CSRF tokens.
         Default: ``('GET', 'HEAD', 'OPTIONS', TRACE')``.
 
+        ``allow_no_origin`` is a boolean.  If false, a request lacking both an
+        ``Origin`` and ``Referer`` header will fail the CSRF check.'
+
         If ``callback`` is set, it must be a callable accepting ``(request)``
         and returning ``True`` if the request should be checked for a valid
         CSRF token. This callback allows an application to support
@@ -237,6 +240,9 @@ class SecurityConfiguratorMixin(object):
         .. versionchanged:: 1.8
            Added the ``callback`` option.
 
+        .. versionchanged:: 2.0
+           Added the ``allow_no_origin`` option.
+
         """
         options = DefaultCSRFOptions(
             require_csrf=require_csrf,