Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Draft of adding CSRF protection for AJAX requests #1017
This current PR also requires manually calling
This should be ready for review. I'm happy with the explanation of CSRF attacks and the prevention mechanism. The middleware makes CSRF protection very simple to add.
Yeah, it looks like I can't just prevent CSRF protection from applying to
I can have it only run CSRF protection on
I made a few more modifications like using constant time comparison, as yesod-form suggests.
Anyway, I think this PR is ready for final review. I know you said to go ahead without your input @snoyberg but since it's a security thing I wouldn't mind more review; for a long time this PR wasn't doing things like constant time comparison.
Aug 17, 2015
Aug 18, 2015
1 check passed
This was referenced
Aug 20, 2015
So based on some testing, it seems like
Haven't investigated much; initial ideas are to only use
Edit: It looks like the root cause of this is yesod-test adding the "application/x-www-form-urlencoded" Content-Type to requests.