CSRF protection for /-/messages tool and writable canned queries

simonw / datasette

An open source multi-tool for exploring and publishing data

https://datasette.io

Apache License 2.0

9.52k stars 685 forks source link

CSRF protection for /-/messages tool and writable canned queries #793

Closed simonw closed 4 years ago

simonw commented 4 years ago

The /-/messages debug tool will need CSRF protection or people will be able to add messages using a hidden form on another website. Originally posted by @simonw in https://github.com/simonw/datasette/issues/790#issuecomment-637790860

simonw commented 4 years ago

This is a minor security issue with master at the moment, but I'll resolve this before I ship the next release.

simonw commented 4 years ago

I need this for writable canned queries in #698 and #796 too.

simonw commented 4 years ago

I need to land and release the fix for signing cookies in https://github.com/simonw/asgi-csrf/issues/2