This repository has been archived by the owner on Nov 9, 2017. It is now read-only.
Security: CSRF possibility #24
Assignees
Labels
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
There is a possible attack using the API. As the session cookie is not protected, an attacker knowing endpoint URL can execute XHR using the authenticated user's credential without user's consent.
One possible way to solve this is removing session cookie from login API (which also requires a rewrote of the unit tests) and disable CORS credentials. The alternative could be token similar to OAuth2.
Another way is to validate CORS origin to only include the web interface and Cordova packaged app.
The text was updated successfully, but these errors were encountered: