mirror of
https://github.com/gristlabs/grist-core.git
synced 2025-06-13 20:53:59 +00:00
bd6a54e901
Summary: For methods other than `GET`, `HEAD`, and `OPTIONS`, allow cookie-based authentication only if a certain custom header is present. Specifically, we check that `X-Requested-With` is set to `XMLHttpRequest`. This is somewhat arbitrary, but allows us to use https://expressjs.com/en/api.html#req.xhr. A request send from a browser that sets a custom header will prompt a preflight check, giving us a chance to check if the origin is trusted. This diff deals with getting the header in place. There will be more work to do after this: * Make sure that all important endpoints are checking origin. Skimming code, /api endpoint check origin, and some but not all others. * Add tests spot-testing origin checks. * Check on cases that authenticate differently. - Check the websocket endpoint - it can be connected to from an arbitrary site; there is per-doc access control but probably better to lock it down more. - There may be old endpoints that authenticate based on knowledge of a client id rather than cookies. Test Plan: added a test Reviewers: dsagal Reviewed By: dsagal Differential Revision: https://phab.getgrist.com/D2631 |
||
|---|---|---|
| .. | ||
| ACIndex.ts | ||
| autocomplete.ts | ||
| browserGlobals.js | ||
| browserInfo.ts | ||
| chartUtil.ts | ||
| copyToClipboard.ts | ||
| CustomSectionElement.ts | ||
| Delay.ts | ||
| dispose.d.ts | ||
| dispose.js | ||
| DocPluginManager.ts | ||
| dom.js | ||
| domAsync.ts | ||
| download.js | ||
| FocusLayer.ts | ||
| fromKoSave.ts | ||
| guessTimezone.ts | ||
| helpScout.ts | ||
| imports.d.ts | ||
| imports.js | ||
| ImportSourceElement.ts | ||
| koArray.d.ts | ||
| koArray.js | ||
| koArrayWrap.ts | ||
| koDom.js | ||
| koDomScrolly.css | ||
| koDomScrolly.js | ||
| koForm.css | ||
| koForm.js | ||
| koSession.js | ||
| koUtil.js | ||
| listEntry.ts | ||
| loadScript.js | ||
| localStorageObs.ts | ||
| log.ts | ||
| Mousetrap.js | ||
| multiselect.css | ||
| multiselect.js | ||
| ObservableMap.js | ||
| ObservableSet.js | ||
| SafeBrowser.ts | ||
| SafeBrowserProcess.css | ||
| sessionObs.ts | ||
| sortUtil.ts | ||
| tableUtil.js | ||
| testState.ts | ||
| uploads.ts | ||
| UrlState.ts | ||