From: Ben Darnell Date: Wed, 16 Feb 2011 21:36:50 +0000 (-0800) Subject: Document new behavior of XSRF tokens. X-Git-Tag: v1.2.0~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ab946518ab2d79e0732a7685e555be04a6a91a0;p=thirdparty%2Ftornado.git Document new behavior of XSRF tokens. --- diff --git a/website/templates/documentation.txt b/website/templates/documentation.txt index 1dd6b6632..f08492563 100644 --- a/website/templates/documentation.txt +++ b/website/templates/documentation.txt @@ -433,11 +433,12 @@ include the application setting `xsrf_cookies`: (r"/login", LoginHandler), ], **settings) -If `xsrf_cookies` is set, the Tornado web application will set the `_xsrf` -cookie for all users and reject all `POST` requests that do not contain a -correct `_xsrf` value. If you turn this setting on, you need to instrument -all forms that submit via `POST` to contain this field. You can do this with -the special function `xsrf_form_html()`, available in all templates: +If `xsrf_cookies` is set, the Tornado web application will set the +`_xsrf` cookie for all users and reject all `POST`, `PUT`, and +`DELETE` requests that do not contain a correct `_xsrf` value. If you +turn this setting on, you need to instrument all forms that submit via +`POST` to contain this field. You can do this with the special +function `xsrf_form_html()`, available in all templates:
{{ xsrf_form_html() }} @@ -463,6 +464,10 @@ requests that automatically adds the `_xsrf` value to all requests: }}); }; +For `PUT` and `DELETE` requests (as well as `POST` requests that do not +use form-encoded arguments), the XSRF token may also be passed via +an HTTP header named `X-XSRFToken`. + ### Static files and aggressive file caching