-
Nick Stenning authoredWhen fetching a JWT from the server, the client needs to supply the session CSRF token in order to prevent third-party pages from being able to fetch and use tokens without the user's permission. Previously, we supplied the CSRF token in an "assertion" GET parameter (partially in an attempt to make this look a bit like an OAuth token issuance API) but in Pyramid 1.7 this isn't allowed. (This is good: allowing the CSRF to be passed as a GET parameter makes it easier to construct a cross-domain attack which retrieves a token for the user). This commit moves the CSRF token into a request header, which works because there are only two legitimate situations in which this request is made: - from an embed iframe, which is on the same origin as the service - from a Chrome extension iframe, which is permitted to make cross-origin XHR requests to URLs specified in the manifest (in our case, `<all_urls>`). Note that we cannot rely on Angular's built-in CSRF support here, because it does not operate for cross-domain requests.
22181c80
| Name |
Last commit
|
Last update |
|---|---|---|
| .github | ||
| docs | ||
| h | ||
| images | ||
| scripts | ||
| .eslintignore | ||
| .eslintrc | ||
| .gitignore | ||
| .npmignore | ||
| .npmrc | ||
| .travis.yml | ||
| CHANGELOG.md | ||
| CODE_OF_CONDUCT | ||
| Jenkinsfile | ||
| LICENSE | ||
| Makefile | ||
| README.md | ||
| gulpfile.js | ||
| npm-shrinkwrap.json | ||
| package.json |