mirror
/
datasette
kopia lustrzana https://github.com/simonw/datasette
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Documented CSRF protection, closes #827

pull/809/head
Simon Willison 2020-06-09 12:32:52 -07:00
rodzic 5ef3b7b0c9
commit 56eb80a459
1 zmienionych plików z 15 dodań i 1 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

16
docs/internals.rst
Wyświetl plik

@ -51,7 +51,7 @@ The request object is passed to various plugin hooks. It represents an incoming
The object also has one awaitable method:
``await request.post_vars()`` - dictionary
Returns a dictionary of form variables that were submitted in the request body via ``POST``.
Returns a dictionary of form variables that were submitted in the request body via ``POST``. Don't forget to read about :ref:`internals_csrf`!
.. _internals_multiparams:
@ -500,3 +500,17 @@ The ``Database`` class also provides properties and methods for introspecting th
}
]
}
.. _internals_csrf:
CSRF protection
~~~~~~~~~~~~~~~
Datasette uses `asgi-csrf <https://github.com/simonw/asgi-csrf>`__ to guard against CSRF attacks on form POST submissions. Users receive a ``ds_csrftoken`` cookie which is compared against the ``csrftoken`` form field (or ``x-csrftoken`` HTTP header) for every incoming request.
If your plugin implements a ``<form method="POST">`` anywhere you will need to include that token. You can do so with the following template snippet:
.. code-block:: html
<input type="hidden" name="csrftoken" value="{{ csrftoken() }}">