You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 9, 2017. It is now read-only.
There is a possible attack using the API. As the session cookie is not protected, an attacker knowing endpoint URL can execute XHR using the authenticated user's credential without user's consent.
One possible way to solve this is removing session cookie from login API (which also requires a rewrote of the unit tests) and disable CORS credentials. The alternative could be token similar to OAuth2.
Another way is to validate CORS origin to only include the web interface and Cordova packaged app.
The text was updated successfully, but these errors were encountered:
There is a possible attack using the API. As the session cookie is not protected, an attacker knowing endpoint URL can execute XHR using the authenticated user's credential without user's consent.
One possible way to solve this is removing session cookie from login API (which also requires a rewrote of the unit tests) and disable CORS credentials. The alternative could be token similar to OAuth2.
Another way is to validate CORS origin to only include the web interface and Cordova packaged app.
The text was updated successfully, but these errors were encountered: