Skip to content

Only check OCS-APIREQUEST header in case of an apptoken #26942

New issue
New issue
Open
Open
Only check OCS-APIREQUEST header in case of an apptoken#26942
Labels
1. to developAccepted and waiting to be taken care ofenhancementfeature: authenticationsecurity
@LukasReschke

Description

@LukasReschke
LukasReschke
opened on May 11, 2021

We should only check the OCS-APIREQUEST header in case of an apptoken. Otherwise we should always require the presence of a CSRF token. (in the past there have been bugs that would allow an attacker to set arbitrary headers potentially cross-origin)

Ref https://hackerone.com/reports/1023822

Metadata

Metadata

Assignees

No one assigned

    Labels

    1. to developAccepted and waiting to be taken care ofenhancementfeature: authenticationsecurity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions