Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support CSRF token per default only via header #11915

Closed
LukasReschke opened this issue Nov 3, 2014 · 2 comments
Closed

Support CSRF token per default only via header #11915

LukasReschke opened this issue Nov 3, 2014 · 2 comments
Labels
enhancement security technical debt
Milestone
maybe some day

Comments

@LukasReschke
Copy link
Member

Currently ownCloud tries to read the CSRF token from GET and POST per default. - While this is per-se not a security bug this creates another attack vector.

Due to the Same-Origin-Policy websites on another domain cannot send arbitrary headers to other sites. However, they can pass arbitrary POST or GET parameters.

We should per default only read the requesttoken from the header and give the app developers to opt-in in-case they want to read this also from other sources. (This could be done using the AppFramework)

Probably we may encounter some problems with the EventSource…
@DeepDiver1975 DeepDiver1975 modified the milestone: backlog Mar 21, 2015
@LukasReschke LukasReschke mentioned this issue Aug 23, 2015
Merged
LukasReschke added a commit that referenced this issue Aug 23, 2015
@LukasReschke
Remove requesttoken for avatars
84d1e36 
First step for #11915
@LukasReschke
Copy link
Member Author

Replaced by #24092

@lock
Copy link

lock bot commented Aug 5, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 5, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement security technical debt
Projects
None yet
Milestone
maybe some day
Development

No branches or pull requests
2 participants
@LukasReschke @DeepDiver1975