Trying to do so while guarding against errors and sanitizing input was more code and slower
than targeting the one possible cookie we might care about.
So the code is simpler and
the performance is better, and the effect of stray cookies are mitigated.
If an invalid cookie from another site breaks the cookie jar,
then sanitize it.
https://bugs.python.org/issue31456
Performance enhancement through setting a header in javascript in
lieu of cookie parsing seems a wise move for the future.
If a session is closed, also kill off any associated
relays in progress. One exception, video port relay
in ESTABLISHED is left alone due to limitation, but
at least no new open.
This prevents sockets from opening up to the world that could be used
to connect to management interfaces directly, apart from the specific
requestors.
Web forward from popup context requires it be exempt from CSRF
protection. This is harmless (as all GET should be, but erring on side
of caution), so add it to the whitelist of CSRF skipping on a CSRF
enabled client session.
This has no functional difference, just a cosmetic
difference that does not give the erroneous impression
a logout actually occurred. This does mean that if a browser
disables cookies and uses the api explorer, there would
be an opportunity for a CSRF.
At some expense of convenience, make it difficult
for CSRF to succeed even against the API explorer
for most people. User/Password will now only be
accepted on hitting enter in the address bar rather
than following any link.
Regardless of whether the client uses it as a session id
or not, the fact remains a sessionid is assigned.
Pass the session id in the auth data even if the client
did not send it.
This makes the exceptions more self describing and simplifies httpapi and sockapi.
An important step to improve asynchttp conveyance of error data that would normally
be an http error in synchronous operation.
Enable a WebUI to request an auth token. This will allow it to indicate it is running in a browser and have the server implement protections such that
other software in the browser cannot send arbitrary requests into the server API.
This is implemented in a backward compatible fashion, allowing, for example, purely non-browser clients to ignore the CSRF protection as
it doesn't apply to that use case.
HTTP console API did not have a means to send break
or request session reopen. Rectify this discrepency
by adding an 'action' key to request certain console
specific actions. In retrospect, closing the session
should have just been an 'action', but leaving things
as-is.
