[
https://issues.apache.org/jira/browse/COUCHDB-2797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14729793#comment-14729793
]
ASF GitHub Bot commented on COUCHDB-2797:
-----------------------------------------
GitHub user rnewson opened a pull request:
https://github.com/apache/couchdb-couch/pull/96
Restrict CSRF check to specific mime types
COUCHDB-2797
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/cloudant/couchdb-couch 2797-csrf-mime-types
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/couchdb-couch/pull/96.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #96
----
commit d1dd5d67e25d4190c96f88507fb1ed0c4225baff
Author: Robert Newson <[email protected]>
Date: 2015-09-03T20:42:47Z
Restrict CSRF check to specific mime types
COUCHDB-2797
----
> Apply CSRF protection only to form submissions
> ----------------------------------------------
>
> Key: COUCHDB-2797
> URL: https://issues.apache.org/jira/browse/COUCHDB-2797
> Project: CouchDB
> Issue Type: Bug
> Security Level: public(Regular issues)
> Reporter: Robert Newson
>
> The new CSRF double-submit protection should be applied to form submissions,
> not all requests. XHR requests, in particular, are not vulnerable to CSRF, so
> we should skip the check there, saving middleware and other tools the effort
> of supporting this feature.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
