web: Document the type of xsrf_token

Fixes #2279

diff --git a/tornado/web.py b/tornado/web.py
index eaab91eede0e60b8a473d979d42f1ad5815d18f9..8abe4bc2a64d78364a71b19f4f3d2532d7196d64 100644 (file)
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -1220,6 +1220,11 @@ class RequestHandler(object):
 
         See http://en.wikipedia.org/wiki/Cross-site_request_forgery
 
+        This property is of type `bytes`, but it contains only ASCII
+        characters. If a character string is required, there is no
+        need to base64-encode it; just decode the byte string as
+        UTF-8.
+
         .. versionchanged:: 3.2.2
            The xsrf token will now be have a random mask applied in every
            request, which makes it safe to include the token in pages