Document new behavior of XSRF tokens.

diff --git a/website/templates/documentation.txt b/website/templates/documentation.txt
index 1dd6b663212ce96215e738c49be5c08fbc66f8cf..f0849256323e838575cddbe8678f88635f147ce4 100644 (file)
--- a/website/templates/documentation.txt
+++ b/website/templates/documentation.txt
@@ -433,11 +433,12 @@ include the application setting `xsrf_cookies`:
         (r"/login", LoginHandler),
     ], **settings)
 
-If `xsrf_cookies` is set, the Tornado web application will set the `_xsrf`
-cookie for all users and reject all `POST` requests that do not contain a
-correct `_xsrf` value. If you turn this setting on, you need to instrument
-all forms that submit via `POST` to contain this field. You can do this with
-the special function `xsrf_form_html()`, available in all templates:
+If `xsrf_cookies` is set, the Tornado web application will set the
+`_xsrf` cookie for all users and reject all `POST`, `PUT`, and
+`DELETE` requests that do not contain a correct `_xsrf` value. If you
+turn this setting on, you need to instrument all forms that submit via
+`POST` to contain this field. You can do this with the special
+function `xsrf_form_html()`, available in all templates:
 
     <form action="/new_message" method="post">
       {{ xsrf_form_html() }}
@@ -463,6 +464,10 @@ requests that automatically adds the `_xsrf` value to all requests:
         }});
     };
 
+For `PUT` and `DELETE` requests (as well as `POST` requests that do not
+use form-encoded arguments), the XSRF token may also be passed via
+an HTTP header named `X-XSRFToken`.
+
 
 ### Static files and aggressive file caching