• Nick Stenning's avatar
    Remove "assertion" GET param from token requests · 22181c80
    Nick Stenning authored
    When fetching a JWT from the server, the client needs to supply the
    session CSRF token in order to prevent third-party pages from being able
    to fetch and use tokens without the user's permission.
    
    Previously, we supplied the CSRF token in an "assertion" GET parameter
    (partially in an attempt to make this look a bit like an OAuth token
    issuance API) but in Pyramid 1.7 this isn't allowed. (This is good:
    allowing the CSRF to be passed as a GET parameter makes it easier to
    construct a cross-domain attack which retrieves a token for the user).
    
    This commit moves the CSRF token into a request header, which works
    because there are only two legitimate situations in which this request
    is made:
    
    - from an embed iframe, which is on the same origin as the service
    - from a Chrome extension iframe, which is permitted to make
      cross-origin XHR requests to URLs specified in the manifest (in our
      case, `<all_urls>`).
    
    Note that we cannot rely on Angular's built-in CSRF support here,
    because it does not operate for cross-domain requests.
    22181c80
Name
Last commit
Last update
..
static Loading commit data...
templates/client Loading commit data...