From 74c4f12b274cefbf8fe89571be440ff734c8ecca Mon Sep 17 00:00:00 2001 From: jeremystretch Date: Tue, 1 Feb 2022 14:29:52 -0500 Subject: [PATCH] Closes #8509: CSRF_TRUSTED_ORIGINS is now a discrete configuration parameter --- docs/configuration/optional-settings.md | 15 +++++++++++++++ docs/release-notes/version-3.2.md | 1 + netbox/netbox/settings.py | 3 +-- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/docs/configuration/optional-settings.md b/docs/configuration/optional-settings.md index 110ca932210..081e4b776ab 100644 --- a/docs/configuration/optional-settings.md +++ b/docs/configuration/optional-settings.md @@ -66,6 +66,21 @@ CORS_ORIGIN_WHITELIST = [ --- +## CSRF_TRUSTED_ORIGINS + +Default: `[]` + +Defines a list of trusted origins for unsafe (e.g. `POST`) requests. This is a pass-through to Django's [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/4.0/ref/settings/#std:setting-CSRF_TRUSTED_ORIGINS) setting. Note that each host listed must specify a scheme (e.g. `http://` or `https://). + +```python +CSRF_TRUSTED_ORIGINS = ( + 'http://netbox.local', + 'https://netbox.local', +) +``` + +--- + ## DEBUG Default: False diff --git a/docs/release-notes/version-3.2.md b/docs/release-notes/version-3.2.md index 1b4a7ef8713..7168a13d00b 100644 --- a/docs/release-notes/version-3.2.md +++ b/docs/release-notes/version-3.2.md @@ -92,6 +92,7 @@ A new REST API endpoint has been added at `/api/ipam/vlan-groups//available- * [#7748](https://github.com/netbox-community/netbox/issues/7748) - Remove legacy contact fields from site model * [#8031](https://github.com/netbox-community/netbox/issues/8031) - Remove automatic redirection of legacy slug-based URLs * [#8195](https://github.com/netbox-community/netbox/issues/8195), [#8454](https://github.com/netbox-community/netbox/issues/8454) - Use 64-bit integers for all primary keys +* [#8509](https://github.com/netbox-community/netbox/issues/8509) - `CSRF_TRUSTED_ORIGINS` is now a discrete configuration parameter (rather than being populated from `ALLOWED_HOSTS`) ### REST API Changes diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py index 2c33ec862b9..4ca24fbf112 100644 --- a/netbox/netbox/settings.py +++ b/netbox/netbox/settings.py @@ -80,6 +80,7 @@ CORS_ORIGIN_ALLOW_ALL = getattr(configuration, 'CORS_ORIGIN_ALLOW_ALL', False) CORS_ORIGIN_REGEX_WHITELIST = getattr(configuration, 'CORS_ORIGIN_REGEX_WHITELIST', []) CORS_ORIGIN_WHITELIST = getattr(configuration, 'CORS_ORIGIN_WHITELIST', []) +CSRF_TRUSTED_ORIGINS = getattr(configuration, 'CSRF_TRUSTED_ORIGINS', []) DATE_FORMAT = getattr(configuration, 'DATE_FORMAT', 'N j, Y') DATETIME_FORMAT = getattr(configuration, 'DATETIME_FORMAT', 'N j, Y g:i a') DEBUG = getattr(configuration, 'DEBUG', False) @@ -404,8 +405,6 @@ def _setting(name, default=None): LOGIN_URL = f'/{BASE_PATH}login/' LOGIN_REDIRECT_URL = f'/{BASE_PATH}' -CSRF_TRUSTED_ORIGINS = ALLOWED_HOSTS - DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField' # Exclude potentially sensitive models from wildcard view exemption. These may still be exempted