isso/specs
Martin Zimmermann 232e2fb474 another approach to fix #40 (return 403 on false Content-Type)
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:

    * application/x-www-form-urlencoded
    * multipart/form-data
    * text/plain

If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
2013-12-04 23:36:48 +01:00
..
fixtures.py another approach to fix #40 (return 403 on false Content-Type) 2013-12-04 23:36:48 +01:00
test_comments.py another approach to fix #40 (return 403 on false Content-Type) 2013-12-04 23:36:48 +01:00
test_cors.py fix unittest 2013-11-17 11:57:48 +01:00
test_guard.py fix unittest for werkzeug==0.8 2013-11-18 12:40:27 +01:00
test_vote.py another approach to fix #40 (return 403 on false Content-Type) 2013-12-04 23:36:48 +01:00