-
Notifications
You must be signed in to change notification settings - Fork 688
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http: Add config option to disable CSRF protection (Fixes: #1713) #1714
http: Add config option to disable CSRF protection (Fixes: #1713) #1714
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the config name is OK. Maybe flip it around and remove the disable
prefix?
docs/ext/http.rst
Outdated
.. confval:: http/disable_csrf_protection | ||
|
||
Disable the HTTP server's protection against Cross-Site Request Forgery | ||
(CSRF) from both JSON-RPC and Websocket requests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Websocket/WebSocket/
docs/ext/http.rst
Outdated
This will remove the requirement to set a ``Content-Type: application/json`` | ||
header for JSON-RPC POST requests. It will also disable all same-origin | ||
checks, effectively ignoring the ``allowed_origins`` config since requests | ||
from any origin will be allowed. Lastly, all ``'Access-Control-Allow-*`` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Extra quote mark before the header name.
fd9cba9
to
02f9244
Compare
Also added the issue/pr numbers to the changelog. |
02f9244
to
2828a43
Compare
Looks good to me. Only suggestion I'd have is, if it's going to be called
and double negation always gives me headaches. But that's nit-picking, really. |
mopidy/http/handlers.py
Outdated
@@ -20,17 +20,23 @@ | |||
|
|||
def make_mopidy_app_factory(apps, statics): | |||
def mopidy_app_factory(config, core): | |||
disable_csrf_protection = not config['http']['csrf_protection'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to rename this variable and flip the logic here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I actually misread this and didn't notice the "not". I guess that proves my point. :-)
docs/ext/http.rst
Outdated
|
||
Disabling this will remove the requirement to set a ``Content-Type: application/json`` | ||
header for JSON-RPC POST requests. It will also disable all same-origin | ||
checks, effectively ignoring the ``allowed_origins`` config since requests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/``allowed_origins``/:confval:`http/allowed_origins`/
Ha well your belief in my tests says more! I'm away over the weekend but I can change it next week. |
2828a43
to
b7f4fd0
Compare
Allows users to disable CSRF protection and revert to the HTTP server's previous (less secure) behaviour. Users are advised to leave this config value enabled if possible. However, if disabled this will: * Remove the requirement to set a ``Content-Type: application/json`` header for JSON-RPC POST requests. * Disable all same-origin checks, effectively ignoring the ``allowed_origins`` config since requests from any origin will be allowed. * Suppress all ``Access-Control-Allow-*`` response headers.
b7f4fd0
to
10fafc0
Compare
That should be all consistent now. |
This will remove the requirement to set a
Content-Type: application/json
header for JSON-RPC POST requests. It will also disable all same-origin
checks, effectively ignoring the
allowed_origins
config since requestsfrom any origin will be allowed. Lastly, all
'Access-Control-Allow-*
response headers will be suppressed.
I am not sold on the config name but I wanted to make it really clear that setting it is less secure. Alternate name suggestions welcome.
Also, I am not 100% sure if we should be disabling all the protections (as is currently implemented here) or if we should just remove the requirement to set a
Content-Type
header...