Bhuvan Arumugam created AURORA-705:
--------------------------------------
Summary: CSRF protection for aurora web interface
Key: AURORA-705
URL: https://issues.apache.org/jira/browse/AURORA-705
Project: Aurora
Issue Type: Task
Components: Scheduler
Affects Versions: 0.5.0
Reporter: Bhuvan Arumugam
The aurora web requests don't include {{X-CSRF-TOKEN}} header or {{CSRF-TOKEN}}
cookie. These 2 fields in http request are necessary to protect users from
cross site request fraud.
Similarly, the {{CorsFilter}} on server side should allow this header. Looks
like {{com.google.common.net.HttpHeaders}} library used to manage headers don't
support adding {{X-CSRF-Token}} header in {{Access-Control-Allowed-Headers}}.
Considering that angularjs and scheduler interact using POST for most
endpoints, using thrfit/{{XMLHttpRequest}} it's important to protect against
CSRF frauds.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
