From 9ffed1017d5e416813df73e4e76b6bfd1d2da2c8 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Thu, 19 Sep 2019 20:30:08 -0700 Subject: Document CSRF allow_no_origin option. --- docs/narr/security.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/narr/security.rst b/docs/narr/security.rst index 94469ba48..f6794dc2c 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -944,7 +944,9 @@ that it matches one of the trusted origins. By default the only trusted origin is the current host, however additional origins may be configured by setting ``pyramid.csrf_trusted_origins`` to a list of domain names (and ports if they are non-standard). If a host in the list of domains starts with a ``.`` then -that will allow all subdomains as well as the domain without the ``.``. +that will allow all subdomains as well as the domain without the ``.``. If no +``Referer`` or ``Origin`` header is present in an HTTPS request, the CSRF check +will fail unless the ``allow_no_origin`` is set. If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` or :class:`pyramid.exceptions.BadCSRFOrigin` exception will be raised. This -- cgit v1.2.3 From 78db10b672bf91185452e68c2b695c3d4e0272ce Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Thu, 19 Sep 2019 20:47:54 -0700 Subject: Add a whatsnew-2.0 doc. --- docs/index.rst | 1 + docs/whatsnew-2.0.rst | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 docs/whatsnew-2.0.rst (limited to 'docs') diff --git a/docs/index.rst b/docs/index.rst index 09a3b56b0..c1f6db81a 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -174,6 +174,7 @@ Change History .. toctree:: :maxdepth: 1 + whatsnew-2.0 whatsnew-1.10 whatsnew-1.9 whatsnew-1.8 diff --git a/docs/whatsnew-2.0.rst b/docs/whatsnew-2.0.rst new file mode 100644 index 000000000..fd7c69000 --- /dev/null +++ b/docs/whatsnew-2.0.rst @@ -0,0 +1,16 @@ +What's New in Pyramid 2.0 +========================= + +This article explains the new features in :app:`Pyramid` version 2.0 as +compared to its predecessor, :app:`Pyramid` 1.10. It also documents backwards +incompatibilities between the two versions and deprecations added to +:app:`Pyramid` 2.0, as well as software dependency changes and notable +documentation additions. + +Feature Additions +----------------- + +The feature additions in Pyramid 2.0 are as follows: + +- Added ``allow_no_origin`` option to :meth:`pyramid.config.Configurator.set_default_csrf_options`. + See https://github.com/Pylons/pyramid/pull/3512 -- cgit v1.2.3 From 904314e683cc488871ba8f163ff47a5c3be86db4 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Mon, 23 Sep 2019 11:02:56 -0700 Subject: Doc fixes from @Deimos --- docs/narr/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/narr/security.rst b/docs/narr/security.rst index f6794dc2c..2b0a2f032 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -946,7 +946,7 @@ is the current host, however additional origins may be configured by setting are non-standard). If a host in the list of domains starts with a ``.`` then that will allow all subdomains as well as the domain without the ``.``. If no ``Referer`` or ``Origin`` header is present in an HTTPS request, the CSRF check -will fail unless the ``allow_no_origin`` is set. +will fail unless ``allow_no_origin`` is set. If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` or :class:`pyramid.exceptions.BadCSRFOrigin` exception will be raised. This -- cgit v1.2.3 From 070642056a2863c5da20cbc28626f4e8e1c49cdb Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Fri, 27 Sep 2019 12:41:42 -0700 Subject: Remove whatsnew-2.0 --- docs/index.rst | 1 - docs/whatsnew-2.0.rst | 16 ---------------- 2 files changed, 17 deletions(-) delete mode 100644 docs/whatsnew-2.0.rst (limited to 'docs') diff --git a/docs/index.rst b/docs/index.rst index c1f6db81a..09a3b56b0 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -174,7 +174,6 @@ Change History .. toctree:: :maxdepth: 1 - whatsnew-2.0 whatsnew-1.10 whatsnew-1.9 whatsnew-1.8 diff --git a/docs/whatsnew-2.0.rst b/docs/whatsnew-2.0.rst deleted file mode 100644 index fd7c69000..000000000 --- a/docs/whatsnew-2.0.rst +++ /dev/null @@ -1,16 +0,0 @@ -What's New in Pyramid 2.0 -========================= - -This article explains the new features in :app:`Pyramid` version 2.0 as -compared to its predecessor, :app:`Pyramid` 1.10. It also documents backwards -incompatibilities between the two versions and deprecations added to -:app:`Pyramid` 2.0, as well as software dependency changes and notable -documentation additions. - -Feature Additions ------------------ - -The feature additions in Pyramid 2.0 are as follows: - -- Added ``allow_no_origin`` option to :meth:`pyramid.config.Configurator.set_default_csrf_options`. - See https://github.com/Pylons/pyramid/pull/3512 -- cgit v1.2.3