summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/ref/contrib/csrf.txt7
1 files changed, 4 insertions, 3 deletions
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
index e1a87d495f..4c847271da 100644
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@@ -347,8 +347,9 @@ all the views that need it, enable the middleware and use
CsrfViewMiddleware.process_view not used
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-There are cases when may not have run before your view is run - 404 and 500
-handlers, for example - but you still need the CSRF token in a form.
+There are cases when ``CsrfViewMiddleware.process_view``` may not have run
+before your view is run - 404 and 500 handlers, for example - but you still
+need the CSRF token in a form.
Solution: use :func:`~django.views.decorators.csrf.requires_csrf_token`
@@ -420,7 +421,7 @@ The domain to be used when setting the CSRF cookie. This can be useful for
easily allowing cross-subdomain requests to be excluded from the normal cross
site request forgery protection. It should be set to a string such as
``".lawrence.com"`` to allow a POST request from a form on one subdomain to be
-accepted by accepted by a view served from another subdomain.
+accepted by a view served from another subdomain.
Please note that, with or without use of this setting, this CSRF protection
mechanism is not safe against cross-subdomain attacks -- see `Limitations`_.