http: Add config option to disable CSRF protection (Fixes: #1713) #1714
This will remove the requirement to set a
I am not sold on the config name but I wanted to make it really clear that setting it is less secure. Alternate name suggestions welcome.
Also, I am not 100% sure if we should be disabling all the protections (as is currently implemented here) or if we should just remove the requirement to set a
Looks good to me. Only suggestion I'd have is, if it's going to be called
and double negation always gives me headaches. But that's nit-picking, really.
Allows users to disable CSRF protection and revert to the HTTP server's previous (less secure) behaviour. Users are advised to leave this config value enabled if possible. However, if disabled this will: * Remove the requirement to set a ``Content-Type: application/json`` header for JSON-RPC POST requests. * Disable all same-origin checks, effectively ignoring the ``allowed_origins`` config since requests from any origin will be allowed. * Suppress all ``Access-Control-Allow-*`` response headers.