> May I suggest that the check becomes configurable? The admin that will place > the web-client behind a mod_proxy should be told to change that flag too and > losen the check.
That would work, or could just check if tools.proxy.on = True in the config for now. The CRSF could be improved to use a token in the future - but that would require the check on every POST. -- You received this bug notification because you are a member of C2C OERPScenario, which is subscribed to the OpenERP Project Group. https://bugs.launchpad.net/bugs/690514 Title: [trunk] CSRF check in 4091 breaks mod_proxy Status in OpenObject Web Client: New Bug description: The CSRF check won't work in most cases with mod_proxy - the host/ref is going to be different (e.g. 127.0.0.1) Likely better way to do it is using a token/hidden field... I'd provide a patch but I haven't worked much with the web client yet. _______________________________________________ Mailing list: https://launchpad.net/~c2c-oerpscenario Post to : [email protected] Unsubscribe : https://launchpad.net/~c2c-oerpscenario More help : https://help.launchpad.net/ListHelp
