Skip to content

Commit

Permalink
fix: prevent unrelated websites from modifying shortlinks via CSRF
Browse files Browse the repository at this point in the history 
Added two mitigations for this issue:

- Attach an 'X-Requested-With' header in client requests
- Make sure client POST requests have a content type of "application/json"
  • Loading branch information
@midchildan
midchildan committed Nov 12, 2020
1 parent 043936a commit 49f834a
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 12 deletions.
4 changes: 3 additions & 1 deletion web/assets/lib/xhr.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,9 @@ namespace xhr {
export var create = (method: string, url: string) => {
var xhr = new XMLHttpRequest();
xhr.open(method, url, true);
return new Req(xhr);

var req = new Req(xhr);
return req.withHeader('X-Requested-With', 'XMLHttpRequest');
};

export var get = (url: string) => {
Expand Down
20 changes: 10 additions & 10 deletions web/bindata.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 49f834a

Please sign in to comment.