New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WebUI] relax CSRF defense. Closes #6882. #6887
Conversation
Allow HTTP request which has neither Origin nor Referer header included
@Chocobo1 can you fix the capitalization of the X-Forwarded-Host header? I think you typed it as "x-forwarded-host". Even though this works fine, it looks weird. |
AFAIK, http header name are case insensitive (RFC 7230?), and we will convert all header name constants to lowercase in near future. UPDATE:
|
@Chocobo1 Yes, like I said that works fine, but all other headers in the source code are capitalized like the browsers send them:
It's just to be consistent with the rest of the code and it looks better. |
Please... it's just temporal and qbt already stores header name in lowercase, using capitalized string WON'T WORK. |
@Chocobo1 It's just for readability of the source code, all other headers are capitalized for readability, it's just readability, it doesn't have anything to do with functionality. Don't you think it would look weird on types.h that every single header but yours is capitalized? |
If I change all header name constants to lowercase now, that makes you happy? |
@Chocobo1 yes, but I feel like you want to go against the world. All browsers send them capitalized. Curl and wget also send them capitalized. They are already capitalized in the source code. I know it makes no difference, but why you want to be different?
That definitely doesn't look good (for readability). EDIT: I thought that when something is not included in the code guidelines, you should stick with what is already there, for consistency. |
Alright, I'll open another PR for this.
To save us another transition when some day we implements HTTP/2 (which all headers are in lowercase). |
I absolutely have no input in this. I don't want to get my hands dirty with webui code. If you want a cursory approval I can do it. |
Quick question: Does this PR warrant a new stable version aka v3.3.14? |
@sledgehammer999 We would have to compile the changes and test them against severals third-party applications to be 100% sure it's stable |
v3.3.13 was released because it defended against CSRF. Now this PR relaxes the conditions. So I am asking if it is important to be released as soon as possible(v3.3.14) or wait for v3.4.0... |
I'd say yes, it's worth 3.3.14, coz the longer version 3.3.13 is the latest, the more users will encounter problems. |
Seems that no one objects after ~11 days. So merging. |
Any ETA on when this fix will be coming out? |
I'll try to release this weekend. |
Allow HTTP request which has neither Origin nor Referer header included.
summary: #6882 (comment)