Closed STRML closed 10 years ago
Hi! I see you didn't add any tests to go along with your change. Can you show me code for a use-case this change would serve?
@dougwilson Happy to add a test.
As for a use case, for example, I have a large JS app. It has a bootstrap data file that I want to load as quickly as possible. This works well, but the bootstrap file contains some sensitive data. A malicious actor could create an html page that simply requires the script (which would be required with the user's cookies), and read the data.
Aside from doing proper referer and origin checking, a CSRF token on the GET is another nice layer of protection.
Just added tests.
OK. I'm going to change the option to an array instead of an object. The only reason it's an object internally is for "faster" lookups.
@dougwilson As an array, it may be more difficult to use: as an object, you can enable/disable any method one at a time, as in the tests.
Yes, but there are only 3 methods. To disable GET, just pass in ["HEAD", "OPTIONS"]
. Being explicit is a better interface. Then if we decide to start skipping "TRACE", you won't be thrown off-guard. The option will make other people than you happy by allowing them to know for sure which methods are ignored instead of needing to know what the defaults are.
Makes sense, I agree with that.
On Aug 24, 2014, at 12:26 PM, Douglas Christopher Wilson notifications@github.com wrote:
Yes, but there are only 3 methods. To disable GET, just pass in ["HEAD", "OPTIONS"]. Being explicit is a better interface. Then if we decide to start skipping "TRACE", you won't be thrown off-guard. The option will make other people than you happy by allowing them to know for sure which methods are ignored instead of needing to know what the defaults are.
— Reply to this email directly or view it on GitHub.
ok, check out npm install expressjs/csurf
and confirm if it fits your needs or not :)
@dougwilson Just tried it out, works great. Thanks
Can be useful to add
GET
csrf protection on a router, or otherwise disable checking for a given verb.