Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTM-1032: Disable CSRF filter for FeaturesController #781

Merged
merged 1 commit into from
Apr 10, 2024
Merged

HTM-1032: Disable CSRF filter for FeaturesController #781

merged 1 commit into from
Apr 10, 2024

Conversation

matthijsln
Copy link
Member

@matthijsln matthijsln commented Apr 10, 2024
edited

The FeaturesControler only uses POST for an idempotent request because the filter can possibly be too large for a URL query parameter so with a POST request the filter can be sent in the request body. Disable CSRF protection for this controller so feature info requests etc. can be used when Tailormap is embedded an iframe when the XSRF token can't be read from the 3rd party cookie (even with SameSite=None, with strict browser protection settings this is still blocked by some current browsers which have those by default).

@matthijsln
HTM-1032: Disable CSRF filter for FeaturesController (only uses POST …
3df0c38 
…for idempotent request large filter in body) so it can be used when in an iframe
@matthijsln matthijsln requested a review from mprins April 10, 2024 09:13
@matthijsln matthijsln self-assigned this Apr 10, 2024
@codecov Codecov
Copy link

codecov bot commented Apr 10, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77%. Comparing base (3ee86fc) to head (3df0c38).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main   #781     +/-   ##
=======================================
+ Coverage       6%    77%    +72%     
  Complexity     78     78             
=======================================
  Files          88     88             
  Lines        3810   3811      +1     
  Branches      378    378             
=======================================
+ Hits          194   2929   +2735     
+ Misses       3597    687   -2910     
- Partials       19    195    +176
Files Coverage Δ
...ilormap/api/security/ApiSecurityConfiguration.java 54% <100%> (+54%) ⬆️

... and 80 files with indirect coverage changes

@github-actions GitHub Actions
Copy link

Test Results

242 tests  ±0   241 ✅ +37   2m 50s ⏱️ -4s
 23 suites ±0     1 💤 ± 0 
 23 files   ±0     0 ❌  - 34 

Results for commit 3df0c38. ± Comparison against base commit 3ee86fc.

@mprins mprins added the enhancement New feature or request label Apr 10, 2024
@matthijsln matthijsln merged commit 0208704 into main Apr 10, 2024
21 checks passed
@matthijsln matthijsln deleted the HTM-1032-disable-csrf-for-features-controller branch April 10, 2024 12:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mprins mprins mprins approved these changes

Assignees

@matthijsln matthijsln

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
2 participants
@matthijsln @mprins