Update to latest sente version to fix CSRF vulnerability

braidchat / braid

Braid is a team-chat app with a novel UI that leads to better conversations.

http://www.braidchat.com/

Other

923 stars 53 forks source link

Update to latest sente version to fix CSRF vulnerability #191

Closed rafd closed 5 years ago

rafd commented 5 years ago

See https://github.com/ptaoussanis/sente/blob/master/CHANGELOG.md#v1140-rc2---2019-jan-12

jamesnvc commented 5 years ago

I'm disabling the server-side CSRF checking right now for the setup. Since that initial call is made over ajax to another domain (websocket is on api.braid.chat, but user is on braid.chat) so that isn't really a way to get that token that isn't just as trivially hijackable. I think CORS protection should guard against this, in any case.

jamesnvc commented 5 years ago

Yeah, addressing #192 makes cross-site websocket starting fail, even if the csrf token is ignored for sente, which I think is okay.