diff options
| -rw-r--r-- | docs/narr/security.rst | 2 | ||||
| -rw-r--r-- | pyramid/csrf.py | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst index ddf496b69..3a6bfa5e5 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -946,7 +946,7 @@ automatic CSRF checking will also check the referrer of the request to ensure that it matches one of the trusted origins. By default the only trusted origin is the current host, however additional origins may be configured by setting ``pyramid.csrf_trusted_origins`` to a list of domain names (and ports if they -are non standard). If a host in the list of domains starts with a ``.`` then +are non-standard). If a host in the list of domains starts with a ``.`` then that will allow all subdomains as well as the domain without the ``.``. If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` or diff --git a/pyramid/csrf.py b/pyramid/csrf.py index c8f097777..7c836e5ad 100644 --- a/pyramid/csrf.py +++ b/pyramid/csrf.py @@ -249,7 +249,7 @@ def check_csrf_origin(request, trusted_origins=None, raises=True): checks are successful this function will return ``True`` unconditionally. Additional trusted origins may be added by passing a list of domain (and - ports if nonstandard like ``['example.com', 'dev.example.com:8080']``) in + ports if non-standard like ``['example.com', 'dev.example.com:8080']``) in with the ``trusted_origins`` parameter. If ``trusted_origins`` is ``None`` (the default) this list of additional domains will be pulled from the ``pyramid.csrf_trusted_origins`` setting. |