gristlabs_grist-core/app/client/ui
Paul Fitzpatrick bd6a54e901 (core) mitigate csrf by requiring custom header for unsafe methods
Summary:
For methods other than `GET`, `HEAD`, and `OPTIONS`, allow cookie-based authentication only if a certain custom header is present.

Specifically, we check that `X-Requested-With` is set to `XMLHttpRequest`. This is somewhat arbitrary, but allows us to use https://expressjs.com/en/api.html#req.xhr.

A request send from a browser that sets a custom header will prompt a preflight check, giving us a chance to check if the origin is trusted.

This diff deals with getting the header in place. There will be more work to do after this:
 * Make sure that all important endpoints are checking origin.  Skimming code, /api endpoint check origin, and some but not all others.
 * Add tests spot-testing origin checks.
 * Check on cases that authenticate differently.
    - Check the websocket endpoint - it can be connected to from an arbitrary site; there is per-doc access control but probably better to lock it down more.
    - There may be old endpoints that authenticate based on knowledge of a client id rather than cookies.

Test Plan: added a test

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2631
2020-10-08 14:19:25 -04:00
..
AccessRules.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
AccountWidget.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
AddNewButton.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
ApiKey.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
App.css (core) move client code to core 2020-10-02 13:24:21 -04:00
App.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
AppHeader.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
AppUI.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
BillingForm.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
BillingPage.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
BillingPageCss.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
BillingPlanManagers.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
buttons.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
ColumnFilterMenu.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
CustomThemes.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
DocHistory.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
DocMenu.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
DocMenuCss.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
Document.css (core) move client code to core 2020-10-02 13:24:21 -04:00
DocumentSettings.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
errorPages.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
ExampleCard.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
ExampleInfo.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
FieldMenus.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
FileDialog.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
GridOptions.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
GridViewMenus.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
HomeImports.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
HomeIntro.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
HomeLeftPane.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
LeftPanelCommon.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
MakeCopyMenu.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
modals.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
mouseDrag.ts Initial config with a few files that build on client and server side. 2020-05-20 00:50:46 -04:00
MultiSelector.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
NotifyUI.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
PagePanels.ts (core) support ?embed=true and &style=light for a clean embed experience 2020-08-14 13:34:38 -04:00
Pages.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
PageWidgetPicker.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
PinnedDocs.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
ProfileDialog.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
resizeHandle.ts Initial config with a few files that build on client and server side. 2020-05-20 00:50:46 -04:00
RightPanel.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
selectBy.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
shadowScroll.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
ShareMenu.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
Tools.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
tooltips.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
TopBar.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
TopBarCss.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
transientInput.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
transitions.ts (core) Show a welcome card when a user opens an example for the first time. 2020-09-09 23:08:50 -04:00
TreeViewComponent.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
TreeViewComponentCss.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
UserImage.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
UserManager.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
ViewLayoutMenu.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
ViewSectionMenu.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
VisibleFieldsConfig.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
WelcomePage.ts (core) mitigate csrf by requiring custom header for unsafe methods 2020-10-08 14:19:25 -04:00
widgetTypes.ts (core) move client code to core 2020-10-02 13:24:21 -04:00