Skip to content
This repository has been archived by the owner on Sep 22, 2020. It is now read-only.

Fix Bug 880900 - Add CSRF Token support to SSO requests #91

Merged
merged 1 commit into from Jun 8, 2013
Merged

Fix Bug 880900 - Add CSRF Token support to SSO requests #91

merged 1 commit into from Jun 8, 2013

Conversation

mjschranz
Copy link
Contributor

jbuck
jbuck reviewed Jun 8, 2013
View reviewed changes
app/http/views/js/sso-ux.js.ejs
@@ -183,6 +183,9 @@
type: 'POST',
url: '/persona/verify',
data: {assertion: assertion},
beforeSend: function (request) {
request.setRequestHeader("x-csrf-token", document.querySelector("meta[name='sso-csrf-token']").content);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the express docs, use X-CSRF-Token: http://expressjs.com/api.html#csrf

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, change the meta tag to just csrf-token; it's not being used just for sso

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also also, this will fail if the page does not have that particular meta element on the page with a TypeError: document.querySelector(...) is null.

Add an if check, and I think this is ready to go.

@mjschranz mjschranz merged commit 21de6c6 into mozilla:master Jun 8, 2013
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mjschranz @jbuck