RussellMcOrmond
commented
2 years ago Functionality is slowly being migrated from Sapintale to other applications, so closing.
Closed SaschaAdler closed 2 years ago
RussellMcOrmond
commented
2 years ago Functionality is slowly being migrated from Sapintale to other applications, so closing.
At some point soon we should ensure that Sapindale requests can not be authenticated in a cross-site request forgery attack. In such an attack, a malicious web page entices a staff member to submit a form or send an AJAX/fetch request to Sapindale, which by default would have access to the same authentication cookie that our own Sapindale requests do. Having the client use a token generated by the server when making its requests would prevent this from taking place in all cases.
Note that modern browsers already prevent requests from pages not on Sapindale's domain thanks to CORS, although it would also be worth ensuring that the correct restrictive CORS policies are explicitly put in place server-side.