Home Explore Help
Sign In
CityApper
/
django
mirror of https://github.com/django/django
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs.

Mayank Singhal 6 years ago
parent
f1d1634493
commit
76b3367035
2 changed files with 16 additions and 9 deletions
Split View Show Diff Stats
  1. 13 7
      docs/ref/csrf.txt
  2. 3 2
      docs/ref/settings.txt

+ 13 - 7
docs/ref/csrf.txt
View File 

@@ -66,10 +66,13 @@ often easier because many JavaScript frameworks provide hooks that allow
 
 headers to be set on every request.
 
 
 First, you must get the CSRF token. How to do that depends on whether or not
 
-the :setting:`CSRF_USE_SESSIONS` setting is enabled.
 
+the :setting:`CSRF_USE_SESSIONS` and :setting:`CSRF_COOKIE_HTTPONLY` settings
 
+are enabled.
 
 
-Acquiring the token if :setting:`CSRF_USE_SESSIONS` is ``False``
 
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+.. _acquiring-csrf-token-from-cookie:
 
+
 
+Acquiring the token if :setting:`CSRF_USE_SESSIONS` and :setting:`CSRF_COOKIE_HTTPONLY` are ``False``
 
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 The recommended source for the token is the ``csrftoken`` cookie, which will be
 
 set if you've enabled CSRF protection for your views as outlined above.
 
@@ -122,11 +125,14 @@ The above code could be simplified by using the `JavaScript Cookie library
 
     Django provides a view decorator which forces setting of the cookie:
 
     :func:`~django.views.decorators.csrf.ensure_csrf_cookie`.
 
 
-Acquiring the token if :setting:`CSRF_USE_SESSIONS` is ``True``
 
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+.. _acquiring-csrf-token-from-html:
 
+
 
+Acquiring the token if :setting:`CSRF_USE_SESSIONS` or :setting:`CSRF_COOKIE_HTTPONLY` is ``True``
 
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
-If you activate :setting:`CSRF_USE_SESSIONS`, you must include the CSRF token
 
-in your HTML and read the token from the DOM with JavaScript:
 
+If you activate :setting:`CSRF_USE_SESSIONS` or
 
+:setting:`CSRF_COOKIE_HTTPONLY`, you must include the CSRF token in your HTML
 
+and read the token from the DOM with JavaScript:
 
 
 .. code-block:: html+django

+ 3 - 2
docs/ref/settings.txt
View File 

@@ -335,8 +335,9 @@ Although the setting offers little practical benefit, it's sometimes required
 
 by security auditors.
 
 
 If you enable this and need to send the value of the CSRF token with an AJAX
 
-request, your JavaScript must pull the value from a hidden CSRF token form
 
-input on the page instead of from the cookie.
 
+request, your JavaScript must pull the value :ref:`from a hidden CSRF token
 
+form input <acquiring-csrf-token-from-html>` instead of :ref:`from the cookie
 
+<acquiring-csrf-token-from-cookie>`.
 
 
 See :setting:`SESSION_COOKIE_HTTPONLY` for details on ``HttpOnly``.