From: Ben Darnell <ben@bendarnell.com>
Date: Sun, 2 Dec 2012 02:27:34 +0000 (-0500)
Subject: Document the use of self.xsrf_token to set the cookie for ajax-only apps.
X-Git-Tag: v3.0.0~207
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eea63fc20d2dd6e505a7708340b870b6b98a9edd;p=thirdparty%2Ftornado.git

Document the use of self.xsrf_token to set the cookie for ajax-only apps.

Closes #645.
---

diff --git a/website/sphinx/overview.rst b/website/sphinx/overview.rst
index 2c762d2b5..0e0ac403b 100644
--- a/website/sphinx/overview.rst
+++ b/website/sphinx/overview.rst
@@ -557,7 +557,11 @@ all requests:
 
 For ``PUT`` and ``DELETE`` requests (as well as ``POST`` requests that
 do not use form-encoded arguments), the XSRF token may also be passed
-via an HTTP header named ``X-XSRFToken``.
+via an HTTP header named ``X-XSRFToken``.  The XSRF cookie is normally
+set when ``xsrf_form_html`` is used, but in a pure-Javascript application
+that does not use any regular forms you may need to access
+``self.xsrf_token`` manually (just reading the property is enough to
+set the cookie as a side effect).
 
 If you need to customize XSRF behavior on a per-handler basis, you can
 override ``RequestHandler.check_xsrf_cookie()``. For example, if you