Double slash in URLs causes CSRF issues #779
Labels
feat
New feature or request.
good first issue
A good issue to tackle when being a novice to the project.
help wanted
We are looking for help on this one.
Milestone
Describe the bug
Using a double-slash - usually on accident
https://my-kratos//foo/bar
- in URLs will cause the nosurf handler to ignoreExempPath
which leads to hard to debug errors for API flows.Reproducing the bug
Try to POST an API flow with a double slash in the URL to e.g. the password method.
Server logs
Expected behavior
This should be handled gracefully.
Environment
The text was updated successfully, but these errors were encountered: