Closed alandipert closed 5 years ago
Previously one of the SSP detection heuristics was to look for the ssp-xsrf header in the initial request's response.
ssp-xsrf
This was wrong, because SSP actually sends the header x-ssp-xsrf. SSP-XSRF is the name of the cookie it sends.
x-ssp-xsrf
SSP-XSRF
Note that header names are case sensitive but cookie names are not. Throughout the code, headers are normalized to lower-case.
This change fixes SSP detection by looking for the x-ssp-xsrf header, and augments the heuristic by additionally looking for the SSP-XSRF cookie.
Refs Trello: https://trello.com/c/pNDKc7DC/1114-shinycannon-ssp-detection-broken
Previously one of the SSP detection heuristics was to look for the
ssp-xsrfheader in the initial request's response.This was wrong, because SSP actually sends the header
x-ssp-xsrf.SSP-XSRFis the name of the cookie it sends.Note that header names are case sensitive but cookie names are not. Throughout the code, headers are normalized to lower-case.
This change fixes SSP detection by looking for the
x-ssp-xsrfheader, and augments the heuristic by additionally looking for theSSP-XSRFcookie.Refs Trello: https://trello.com/c/pNDKc7DC/1114-shinycannon-ssp-detection-broken