[
https://issues.apache.org/jira/browse/COUCHDB-2797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14729964#comment-14729964
]
Dale Harvey commented on COUCHDB-2797:
--------------------------------------
Alexander, what do you mean CSRF from trusted origins? if someone exploits a
trusted origin then its not csrf right? an example of situation you are
referring to would be useful. Cheers
> Apply CSRF protection only to form submissions
> ----------------------------------------------
>
> Key: COUCHDB-2797
> URL: https://issues.apache.org/jira/browse/COUCHDB-2797
> Project: CouchDB
> Issue Type: Bug
> Security Level: public(Regular issues)
> Reporter: Robert Newson
>
> The new CSRF double-submit protection should be applied to form submissions,
> not all requests. XHR requests, in particular, are not vulnerable to CSRF, so
> we should skip the check there, saving middleware and other tools the effort
> of supporting this feature.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
