mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-09-29 01:30:45 +00:00
bd6a54e901
Summary: For methods other than `GET`, `HEAD`, and `OPTIONS`, allow cookie-based authentication only if a certain custom header is present. Specifically, we check that `X-Requested-With` is set to `XMLHttpRequest`. This is somewhat arbitrary, but allows us to use https://expressjs.com/en/api.html#req.xhr. A request send from a browser that sets a custom header will prompt a preflight check, giving us a chance to check if the origin is trusted. This diff deals with getting the header in place. There will be more work to do after this: * Make sure that all important endpoints are checking origin. Skimming code, /api endpoint check origin, and some but not all others. * Add tests spot-testing origin checks. * Check on cases that authenticate differently. - Check the websocket endpoint - it can be connected to from an arbitrary site; there is per-doc access control but probably better to lock it down more. - There may be old endpoints that authenticate based on knowledge of a client id rather than cookies. Test Plan: added a test Reviewers: dsagal Reviewed By: dsagal Differential Revision: https://phab.getgrist.com/D2631 |
||
|---|---|---|
| .. | ||
| entities | ||
| AppModel.ts | ||
| BaseRowModel.js | ||
| BillingModel.ts | ||
| ClientColumnGetters.ts | ||
| ColumnACIndexes.ts | ||
| ColumnFilter.ts | ||
| ConnectState.ts | ||
| DataRowModel.ts | ||
| DataTableModel.js | ||
| DataTableModelWithDiff.ts | ||
| DocData.ts | ||
| DocListModel.js | ||
| DocModel.ts | ||
| DocPageModel.ts | ||
| errors.ts | ||
| gristConfigCache.ts | ||
| gristUrlState.ts | ||
| HomeModel.ts | ||
| MetaRowModel.js | ||
| MetaTableModel.js | ||
| modelUtil.js | ||
| NotifyModel.ts | ||
| QuerySet.ts | ||
| rowset.ts | ||
| rowuid.js | ||
| SearchModel.ts | ||
| SectionFilter.ts | ||
| TableData.ts | ||
| TableModel.js | ||
| TreeModel.ts | ||
| UserManagerModel.ts | ||
| UserPrefs.ts | ||
| WorkspaceInfo.ts | ||