New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for issue #149: CSRF protection URI whitelisting #236
Conversation
… backwards compatibility.
…to be whitelisted from CSRF verification. Fixes #149
…st URIs from CSRF protection
Gah, Github picked up on some other irrelevant commits. The last two in the list above are the relevant commits. |
@alexbilbie Excellent work. You have any thoughts if it would be better to white list based on external urls instead of your own uris? |
No no, that would be far too complicated, wouldn't scale etc. Better to have one or two endpoints that explicitly don't check for a CSRF cookie and yet still have the rest of your application secure |
@alexbilbie Can you also add a note in the changelog about this? |
Great! I needed it some months ago. Thanks. |
Awesome fix! I have a little lump of code that allows generalized uris to be white listed. For example, if you specify only the controller, all methods will be whitelisted too. Is that something EllisLabs would appreciate within this feature too? Great fix alexbilbie! |
is this available in the latest stable version? 2.1.0 ? |
still not available in 2.1.1 :-( |
For some reason this wasn't merged into 2.1 or 2.1.1 releases. It will definitely be in 3.0. |
Fix indentation from newest merges.
Still nothing on 2.1.3... It would be great feature. |
Fix for issue #149
When developing applications that may have a web front end and an API front end (for example using Phil's REST server library) if you have CSRF protection enabled then POST API requests will fail because a non existent CSRF token can't be verified when the request is received.
The changes here add a new config parameter 'csrf_exclude_uris' which allows for URIs to be whitelisted from CSRF protection.
I've also updated the Security library documentation.