From f12005b92fa9bb33f082bd50747eb11791605cff Mon Sep 17 00:00:00 2001
From: Donald Stufft <donald@stufft.io>
Date: Fri, 15 Apr 2016 17:41:35 -0400
Subject: Only Accept CSRF Tokens in headers or POST bodies

Previously `check_csrf_token` would allow passing in a CSRF token in through a
the URL of a request. However this is a security issue because a CSRF token
must not be allowed to leak, and URLs regularly get copy/pasted or otherwise
end up leaking to the outside world.
---
 docs/narr/viewconfig.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs/narr/viewconfig.rst')

diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst
index e645185f5..40db5fbeb 100644
--- a/docs/narr/viewconfig.rst
+++ b/docs/narr/viewconfig.rst
@@ -459,7 +459,7 @@ configured view.
   check name.
 
   If CSRF checking is performed, the checked value will be the value of
-  ``request.params[check_name]``.  This value will be compared against the
+  ``request.POST[check_name]``.  This value will be compared against the
   value of ``request.session.get_csrf_token()``, and the check will pass if
   these two values are the same.  If the check passes, the associated view will
   be permitted to execute.  If the check fails, the associated view will not be
-- 
cgit v1.2.3