Commit Graph

2 Commits

Author SHA1 Message Date
Martin Zimmermann
6c06b69dc5 another approach to fix (return 403 on false Content-Type)
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:

    * application/x-www-form-urlencoded
    * multipart/form-data
    * text/plain

If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
2013-12-08 00:33:13 +01:00
Martin Zimmermann
f0ee0a18b1 move unittest helpers into a separate file 2013-11-13 14:25:05 +01:00