Protect RPC interface against CSRF #1668
By now enforcing the Content-Type header is set to 'application/json', we force browsers attempting a cross-domain request to first perform a CORS preflight OPTIONS request. This request always includes an Origin header which we check against our whitelist. The whitelist contains the current Host as well as anything specified in the new optional allowed_origins config value. Any non-browser tools must also now set the Context-type header.
Also Fixed up formatting following code review.
This was referenced
Oct 8, 2018
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments.