From 9ffed1017d5e416813df73e4e76b6bfd1d2da2c8 Mon Sep 17 00:00:00 2001
From: Theron Luhn <theron@luhn.com>
Date: Thu, 19 Sep 2019 20:30:08 -0700
Subject: Document CSRF allow_no_origin option.

---
 docs/narr/security.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'docs/narr')

diff --git a/docs/narr/security.rst b/docs/narr/security.rst
index 94469ba48..f6794dc2c 100644
--- a/docs/narr/security.rst
+++ b/docs/narr/security.rst
@@ -944,7 +944,9 @@ that it matches one of the trusted origins. By default the only trusted origin
 is the current host, however additional origins may be configured by setting
 ``pyramid.csrf_trusted_origins`` to a list of domain names (and ports if they
 are non-standard). If a host in the list of domains starts with a ``.`` then
-that will allow all subdomains as well as the domain without the ``.``.
+that will allow all subdomains as well as the domain without the ``.``.  If no
+``Referer`` or ``Origin`` header is present in an HTTPS request, the CSRF check
+will fail unless the ``allow_no_origin`` is set.
 
 If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` or
 :class:`pyramid.exceptions.BadCSRFOrigin` exception will be raised. This
-- 
cgit v1.2.3