mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-26 11:30:23 +00:00
Exempt Web Forwarding from CSRF
Web forward from popup context requires it be exempt from CSRF protection. This is harmless (as all GET should be, but erring on side of caution), so add it to the whitelist of CSRF skipping on a CSRF enabled client session.
This commit is contained in:
parent
8694eca40b
commit
a962a5afc3
@ -216,11 +216,17 @@ def _should_skip_authlog(env):
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def _csrf_exempt(path):
|
||||
# first a get of info to get CSRF key, also '/forward/web' to enable
|
||||
# the popup ability to just forward
|
||||
return path == '/sessions/current/info' or path.endswith('/forward/web')
|
||||
|
||||
|
||||
def _csrf_valid(env, session):
|
||||
# This could be simplified into a statement, but this is more readable
|
||||
# to have it broken out
|
||||
if (env['REQUEST_METHOD'] == 'GET' and
|
||||
env['PATH_INFO'] == '/sessions/current/info'):
|
||||
if (env['REQUEST_METHOD'] == 'GET' and _csrf_exmept(env['PATH_INFO']):
|
||||
# Provide a web client a safe hook to request the CSRF token
|
||||
# This means that we consider GET of /sessions/current/info to be
|
||||
# a safe thing to inflict via CSRF, since CORS should prevent
|
||||
|
Loading…
Reference in New Issue
Block a user