Document the use of self.xsrf_token to set the cookie for ajax-only apps.

author Ben Darnell <ben@bendarnell.com>

Sun, 2 Dec 2012 02:27:34 +0000 (21:27 -0500)

committer Ben Darnell <ben@bendarnell.com>

Sun, 2 Dec 2012 02:27:52 +0000 (21:27 -0500)
author Ben Darnell <ben@bendarnell.com>
Sun, 2 Dec 2012 02:27:34 +0000 (21:27 -0500)
committer Ben Darnell <ben@bendarnell.com>
Sun, 2 Dec 2012 02:27:52 +0000 (21:27 -0500)
diff --git a/website/sphinx/overview.rst b/website/sphinx/overview.rst

index 2c762d2b503ccd6da5b6cb66674b6c6d506381c3..0e0ac403b24524e12add6820ab25acbaebc69b47 100644 (file)
--- a/website/sphinx/overview.rst
+++ b/website/sphinx/overview.rst
@@ -557,7 +557,11 @@ all requests:
  
  For ``PUT`` and ``DELETE`` requests (as well as ``POST`` requests that
  do not use form-encoded arguments), the XSRF token may also be passed
-via an HTTP header named ``X-XSRFToken``.
+via an HTTP header named ``X-XSRFToken``.  The XSRF cookie is normally
+set when ``xsrf_form_html`` is used, but in a pure-Javascript application
+that does not use any regular forms you may need to access
+``self.xsrf_token`` manually (just reading the property is enough to
+set the cookie as a side effect).
  
  If you need to customize XSRF behavior on a per-handler basis, you can
  override ``RequestHandler.check_xsrf_cookie()``. For example, if you
author	Ben Darnell <ben@bendarnell.com>
	Sun, 2 Dec 2012 02:27:34 +0000 (21:27 -0500)
committer	Ben Darnell <ben@bendarnell.com>
	Sun, 2 Dec 2012 02:27:52 +0000 (21:27 -0500)