You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently ownCloud tries to read the CSRF token from GET and POST per default. - While this is per-se not a security bug this creates another attack vector.
Due to the Same-Origin-Policy websites on another domain cannot send arbitrary headers to other sites. However, they can pass arbitrary POST or GET parameters.
We should per default only read the requesttoken from the header and give the app developers to opt-in in-case they want to read this also from other sources. (This could be done using the AppFramework)
Probably we may encounter some problems with the EventSource…
The text was updated successfully, but these errors were encountered:
Currently ownCloud tries to read the CSRF token from GET and POST per default. - While this is per-se not a security bug this creates another attack vector.
Due to the Same-Origin-Policy websites on another domain cannot send arbitrary headers to other sites. However, they can pass arbitrary POST or GET parameters.
We should per default only read the requesttoken from the header and give the app developers to opt-in in-case they want to read this also from other sources. (This could be done using the AppFramework)
Probably we may encounter some problems with the EventSource…
The text was updated successfully, but these errors were encountered: