[WebUI] relax CSRF defense. Closes #6882.

[Chocobo1]

Allow HTTP request which has neither Origin nor Referer header included.

summary: #6882 (comment)

[naikel]

@Chocobo1 can you fix the capitalization of the X-Forwarded-Host header? I think you typed it as "x-forwarded-host". Even though this works fine, it looks weird.

[Chocobo1]

can you fix the capitalization of the X-Forwarded-Host header?

AFAIK, http header name are case insensitive (RFC 7230?), and we will convert all header name constants to lowercase in near future.

UPDATE:

RFC7230
3.2.  Header Fields
   Each header field consists of a case-insensitive field name followed by a colon (":"),
   optional leading whitespace, the field value, and optional trailing whitespace.

[naikel]

@Chocobo1 Yes, like I said that works fine, but all other headers in the source code are capitalized like the browsers send them:

    const char HEADER_X_CONTENT_TYPE_OPTIONS[] = "X-Content-Type-Options";
    const char HEADER_X_FRAME_OPTIONS[] = "X-Frame-Options";
    const char HEADER_X_XSS_PROTECTION[] = "X-XSS-Protection";

It's just to be consistent with the rest of the code and it looks better.

[Chocobo1]

It's just to be consistent with the rest of the code and it looks better.

Please... it's just temporal and qbt already stores header name in lowercase, using capitalized string WON'T WORK.

[naikel]

@Chocobo1 It's just for readability of the source code, all other headers are capitalized for readability, it's just readability, it doesn't have anything to do with functionality. Don't you think it would look weird on types.h that every single header but yours is capitalized?

[Chocobo1]

Don't you think it would look weird on types.h that every single header but yours is capitalized?

If I change all header name constants to lowercase now, that makes you happy?
Serious question.

[naikel]

@Chocobo1 yes, but I feel like you want to go against the world. All browsers send them capitalized. Curl and wget also send them capitalized. They are already capitalized in the source code. I know it makes no difference, but why you want to be different?

    const char HEADER_X_CONTENT_TYPE_OPTIONS[] = "X-Content-Type-Options";
    const char HEADER_X_FORWARDED_HOST[] = "x-forwarded-host";
    const char HEADER_X_FRAME_OPTIONS[] = "X-Frame-Options";
    const char HEADER_X_XSS_PROTECTION[] = "X-XSS-Protection";

That definitely doesn't look good (for readability).

EDIT: I thought that when something is not included in the code guidelines, you should stick with what is already there, for consistency.

[Chocobo1]

yes

Alright, I'll open another PR for this.

but why you want to be different?

To save us another transition when some day we implements HTTP/2 (which all headers are in lowercase).

[sledgehammer999]

I absolutely have no input in this. I don't want to get my hands dirty with webui code. If you want a cursory approval I can do it.
In the meantime let's not forget @OpenGG who initially reported the original problem.

[sledgehammer999]

Quick question: Does this PR warrant a new stable version aka v3.3.14?

[naikel]

@sledgehammer999 We would have to compile the changes and test them against severals third-party applications to be 100% sure it's stable

[sledgehammer999]

@sledgehammer999 We would have to compile the changes and test them against severals third-party applications to be 100% sure it's stable

v3.3.13 was released because it defended against CSRF. Now this PR relaxes the conditions. So I am asking if it is important to be released as soon as possible(v3.3.14) or wait for v3.4.0...

[Taloth]

I'd say yes, it's worth 3.3.14, coz the longer version 3.3.13 is the latest, the more users will encounter problems.

[ngosang]

@Chocobo1 I agree with @naikel , although HTTP headers are case insensitive, most web servers/browsers use capitalization.

[Chocobo1]

@ngosang
#6887 (comment)

[sledgehammer999]

Seems that no one objects after ~11 days. So merging.
Thx for this.
New version with this will probably appear during the weekend.

[JourneyOver]

Any ETA on when this fix will be coming out?

[sledgehammer999]

I'll try to release this weekend.