We use git-cl to manage code reviews with git, but since r466 the "git-cl
close" command fails due
to the added XSRF protection. The security is of course important, though the
current method
makes scripting difficult since it requires first fetching a page to parse out
the token. For views
such as "close" that are posted via XHR a simpler way to protect them is by
requiring a custom HTTP
header. For example, see the Google Visualization API docs on securing custom
data sources:
http://code.google.com/apis/visualization/documentation/dev/implementing_data_so
urce.html#se
curity_considerations
E.g. in M_closeIssue:
httpreq.open("POST", "/" + id + "/close", true);
httpreq.setRequestHeader("X-Rietveld-XSRF", "true");
httpreq.send();
This would allow for easy protection of the JavaScript requests and allow for
easy scripting in tools
like git-cl which can also use these custom headers.
I'll set up Rietveld locally later to work on a patch for this.
Original issue reported on code.google.com by m...@matt-good.net on 12 Oct 2009 at 6:19
Original issue reported on code.google.com by
m...@matt-good.net
on 12 Oct 2009 at 6:19