From 9ffed1017d5e416813df73e4e76b6bfd1d2da2c8 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Thu, 19 Sep 2019 20:30:08 -0700 Subject: Document CSRF allow_no_origin option. --- docs/narr/security.rst | 4 +++- src/pyramid/config/security.py | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/narr/security.rst b/docs/narr/security.rst index 94469ba48..f6794dc2c 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -944,7 +944,9 @@ that it matches one of the trusted origins. By default the only trusted origin is the current host, however additional origins may be configured by setting ``pyramid.csrf_trusted_origins`` to a list of domain names (and ports if they are non-standard). If a host in the list of domains starts with a ``.`` then -that will allow all subdomains as well as the domain without the ``.``. +that will allow all subdomains as well as the domain without the ``.``. If no +``Referer`` or ``Origin`` header is present in an HTTPS request, the CSRF check +will fail unless the ``allow_no_origin`` is set. If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` or :class:`pyramid.exceptions.BadCSRFOrigin` exception will be raised. This diff --git a/src/pyramid/config/security.py b/src/pyramid/config/security.py index 0d2bc8e99..02271e2ba 100644 --- a/src/pyramid/config/security.py +++ b/src/pyramid/config/security.py @@ -222,6 +222,9 @@ class SecurityConfiguratorMixin(object): never be automatically checked for CSRF tokens. Default: ``('GET', 'HEAD', 'OPTIONS', TRACE')``. + ``allow_no_origin`` is a boolean. If false, a request lacking both an + ``Origin`` and ``Referer`` header will fail the CSRF check.' + If ``callback`` is set, it must be a callable accepting ``(request)`` and returning ``True`` if the request should be checked for a valid CSRF token. This callback allows an application to support @@ -237,6 +240,9 @@ class SecurityConfiguratorMixin(object): .. versionchanged:: 1.8 Added the ``callback`` option. + .. versionchanged:: 2.0 + Added the ``allow_no_origin`` option. + """ options = DefaultCSRFOptions( require_csrf=require_csrf, -- cgit v1.2.3