From 9ffed1017d5e416813df73e4e76b6bfd1d2da2c8 Mon Sep 17 00:00:00 2001
From: Theron Luhn <theron@luhn.com>
Date: Thu, 19 Sep 2019 20:30:08 -0700
Subject: Document CSRF allow_no_origin option.

---
 src/pyramid/config/security.py | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src')

diff --git a/src/pyramid/config/security.py b/src/pyramid/config/security.py
index 0d2bc8e99..02271e2ba 100644
--- a/src/pyramid/config/security.py
+++ b/src/pyramid/config/security.py
@@ -222,6 +222,9 @@ class SecurityConfiguratorMixin(object):
         never be automatically checked for CSRF tokens.
         Default: ``('GET', 'HEAD', 'OPTIONS', TRACE')``.
 
+        ``allow_no_origin`` is a boolean.  If false, a request lacking both an
+        ``Origin`` and ``Referer`` header will fail the CSRF check.'
+
         If ``callback`` is set, it must be a callable accepting ``(request)``
         and returning ``True`` if the request should be checked for a valid
         CSRF token. This callback allows an application to support
@@ -237,6 +240,9 @@ class SecurityConfiguratorMixin(object):
         .. versionchanged:: 1.8
            Added the ``callback`` option.
 
+        .. versionchanged:: 2.0
+           Added the ``allow_no_origin`` option.
+
         """
         options = DefaultCSRFOptions(
             require_csrf=require_csrf,
-- 
cgit v1.2.3