Pursuant to #191 and #192; currently the websocket connection (via sente) isn't using CSRF protection. My thinking around this is twofold:
Since the websocket connection is to api.braid.chat from (m.)braid.chat, it's always going to be a cross-site request -- as far as I can tell, there isn't really a reasonable way for the client to have a CSRF token in a way that isn't trivially forgable anyway.
As of 27939e6, braid actually sets the Access-Control-Allow-Origin header to only allow braid.chat and m.braid.chat (and localhost, for dev purposes), so a malicious attempt to connect will fail anyway, since the Ajax handshake gets blocked. Is this sufficient?
Is this enough? Do we need to enable Sente's CSRF protection? If so, how?
Pursuant to #191 and #192; currently the websocket connection (via sente) isn't using CSRF protection. My thinking around this is twofold:
Since the websocket connection is to api.braid.chat from (m.)braid.chat, it's always going to be a cross-site request -- as far as I can tell, there isn't really a reasonable way for the client to have a CSRF token in a way that isn't trivially forgable anyway.
As of 27939e6, braid actually sets the Access-Control-Allow-Origin header to only allow braid.chat and m.braid.chat (and localhost, for dev purposes), so a malicious attempt to connect will fail anyway, since the Ajax handshake gets blocked. Is this sufficient?
Is this enough? Do we need to enable Sente's CSRF protection? If so, how?