rietveld-codereview / rietveld

Code Review, hosted on Google App Engine
https://codereview.appspot.com
Apache License 2.0
560 stars 151 forks source link

Simplify XSRF for RPC methods #161

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
We use git-cl to manage code reviews with git, but since r466 the "git-cl 
close" command fails due 
to the added XSRF protection.  The security is of course important, though the 
current method 
makes scripting difficult since it requires first fetching a page to parse out 
the token.  For views 
such as "close" that are posted via XHR a simpler way to protect them is by 
requiring a custom HTTP 
header.  For example, see the Google Visualization API docs on securing custom 
data sources:
http://code.google.com/apis/visualization/documentation/dev/implementing_data_so
urce.html#se
curity_considerations

E.g. in M_closeIssue:
  httpreq.open("POST", "/" + id + "/close", true);
  httpreq.setRequestHeader("X-Rietveld-XSRF", "true");
  httpreq.send();

This would allow for easy protection of the JavaScript requests and allow for 
easy scripting in tools 
like git-cl which can also use these custom headers.

I'll set up Rietveld locally later to work on a patch for this.

Original issue reported on code.google.com by m...@matt-good.net on 12 Oct 2009 at 6:19

GoogleCodeExporter commented 9 years ago
Thanks, it would be great to have a patch for this.

Original comment by gvanrossum@gmail.com on 12 Oct 2009 at 6:35

GoogleCodeExporter commented 9 years ago

Original comment by albrecht.andi on 6 Apr 2012 at 7:41