arno/isso
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
426 Commits 14 Branches 38 Tags 5.8 MiB
417bd4614c
Commit Graph

4 Commits

Author SHA1 Message Date
Martin Zimmermann
232e2fb474 another approach to fix #40 (return 403 on false Content-Type) 
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:

    * application/x-www-form-urlencoded
    * multipart/form-data
    * text/plain

If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
 2013-12-04 23:36:48 +01:00
Martin Zimmermann
b839b2be31 HTTP Origin is only sent on cross-origin requests in Firefox 
Therefore, only raise Forbidden if Origin (or Referer for MSIE) is sent
(which is a protected header and all modern browsers (except IE)).

Also add a basic unit test which asserts the failure for false origins.
 2013-12-04 17:09:22 +01:00
Martin Zimmermann
4c16ba76cc fix unittests 2013-12-01 13:40:11 +01:00
Martin Zimmermann
f0ee0a18b1 move unittest helpers into a separate file 2013-11-13 14:25:05 +01:00