Do not require XSRF token if using Authroization header

madecoste / swarming

Automatically exported from code.google.com/p/swarming

Apache License 2.0

0 stars 1 forks source link

Do not require XSRF token if using Authroization header #195

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

XSRF token is only useful with cookie (or IP based) authentication. No need to 
use it when authenticating via OAuth or X-Appengine-Inbound-Appid (since 
there's no way to forge a request with custom header, e.g. Cloud Endpoints do 
not use XSRF tokens).

Requiring XSRF token makes Appengine <-> Appengine calls complicated since now 
XSRF token has to be managed somehow.

Original issue reported on code.google.com by vadimsh@chromium.org on 18 Dec 2014 at 7:45

GoogleCodeExporter commented 9 years ago

https://codereview.appspot.com/183610044/

Original comment by vadimsh@chromium.org on 19 Dec 2014 at 9:24

Changed state: Fixed