search

stormpath / stormpath-framework-spec

Language-agnostic API specification for Stormpath Framework Integrations
12 stars 14 forks source link

GET Requests on /logout #112

Open edjiang opened 8 years ago

edjiang commented 8 years ago

@robertjd - I couldn't get Chrome to prefetch this page for me, so I wasn't able to test if it worked. Can you please test this and let me know if it works properly?

I said this would be "under 20 lines of code"; I got it to 19! Maybe you can get it to 1? ;]

doctype html
html
  head
    title Logout
    script(type='text/javascript').
      var form = document.createElement('form');
      form.method = "POST";
      form.submit();
  body
    noscript
      p Click this button to logout. 
      form(method='post')#logout
        input(type='submit', value='Logout')
<!DOCTYPE html>
<html>
    <head>
    <title>Logout</title>
    <script type="text/javascript">
        var form = document.createElement('form');
        form.method = "POST";
        form.submit();
    </script>
    </head>
    <body>
        <noscript>
            <p>Click this button to logout. </p>
            <form method="post" id="logout">
                <input type="submit" name="logout" value="Logout">
            </form>
        </noscript>
    </body>
</html>
nbarbettini commented 8 years ago

Looks good.

We also need to add configuration support for a "view" for the logout route, now that we're returning HTML for that route.

robertjd commented 8 years ago

Note to self for when I review in deatil: can this be used in an iframe to recreate a logout CSRF attack? If so we need to set X-Frame-Options: SAMEORIGIN on this response