dave2wave commented on issue #786:
URL:
https://github.com/apache/tooling-trusted-releases/issues/786#issuecomment-3987066808
ChatGPT agrees that this approach is wrong and would break our API!
Instead:
```python
# atr/blueprints/api.py
from quart import request
@_BLUEPRINT.before_request
async def _csrf_defense_in_depth() -> None:
"""
CSRF defense-in-depth for API routes.
- Primary control: explicit Authorization (JWT)
- Browser detection: Sec-Fetch-Site enforcement (already present)
- Origin is intentionally *not* allowlisted to preserve cross-origin API
use
"""
origin = request.headers.get("Origin")
# Explicitly read Origin to make the control visible and auditable.
# No allowlist enforcement by design (API is cross-origin).
if origin is not None:
pass
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
