[
https://issues.apache.org/jira/browse/COUCHDB-2797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14729795#comment-14729795
]
ASF GitHub Bot commented on COUCHDB-2797:
-----------------------------------------
GitHub user rnewson opened a pull request:
https://github.com/apache/couchdb/pull/341
Adapt csrf test to hit form data endpoint
COUCHDB-2797
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/cloudant/couchdb 2797-csrf-mime-types
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/couchdb/pull/341.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #341
----
commit 315832d4dbc402347e4154eaf17b20587bbb6ea0
Author: Robert Newson <[email protected]>
Date: 2015-09-03T21:06:58Z
Adapt csrf test to hit form data endpoint
COUCHDB-2797
----
> Apply CSRF protection only to form submissions
> ----------------------------------------------
>
> Key: COUCHDB-2797
> URL: https://issues.apache.org/jira/browse/COUCHDB-2797
> Project: CouchDB
> Issue Type: Bug
> Security Level: public(Regular issues)
> Reporter: Robert Newson
>
> The new CSRF double-submit protection should be applied to form submissions,
> not all requests. XHR requests, in particular, are not vulnerable to CSRF, so
> we should skip the check there, saving middleware and other tools the effort
> of supporting this feature.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
