gristlabs_grist-core/app/common
Paul Fitzpatrick bd6a54e901 (core) mitigate csrf by requiring custom header for unsafe methods
Summary:
For methods other than `GET`, `HEAD`, and `OPTIONS`, allow cookie-based authentication only if a certain custom header is present.

Specifically, we check that `X-Requested-With` is set to `XMLHttpRequest`. This is somewhat arbitrary, but allows us to use https://expressjs.com/en/api.html#req.xhr.

A request send from a browser that sets a custom header will prompt a preflight check, giving us a chance to check if the origin is trusted.

This diff deals with getting the header in place. There will be more work to do after this:
 * Make sure that all important endpoints are checking origin.  Skimming code, /api endpoint check origin, and some but not all others.
 * Add tests spot-testing origin checks.
 * Check on cases that authenticate differently.
    - Check the websocket endpoint - it can be connected to from an arbitrary site; there is per-doc access control but probably better to lock it down more.
    - There may be old endpoints that authenticate based on knowledge of a client id rather than cookies.

Test Plan: added a test

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2631
2020-10-08 14:19:25 -04:00
..
ActionBundle.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
ActionDispatcher.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
ActionGroup.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
ActionRouter.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
ActionSummary.ts (core) add more detail to /compare endpoint 2020-09-18 16:31:29 -04:00
ActiveDocAPI.ts (core) When saving copies, allow saving to another org; update menus for making and saving copies. 2020-07-27 14:11:02 -04:00
ApiError.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
arrayToString.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
AsyncCreate.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
AsyncFlow.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
BaseAPI.ts (core) mitigate csrf by requiring custom header for unsafe methods 2020-10-08 14:19:25 -04:00
BasketClientAPI.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
BigInt.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
BillingAPI.ts (core) Changes to Billing to better handle error scenarios. 2020-07-22 14:40:54 -04:00
BinaryIndexedTree.js (core) move client code to core 2020-10-02 13:24:21 -04:00
BrowserSettings.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
ColumnGetters.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
declarations.d.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
delay.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
DisposableWithEvents.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
DocActions.ts (core) visualize simple differences between documents 2020-09-29 15:29:40 -04:00
DocData.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
DocListAPI.ts (core) support ?embed=true and &style=light for a clean embed experience 2020-08-14 13:34:38 -04:00
emails.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
EncActionBundle.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
ErrorWithCode.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
Features.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
Formula.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
GristServerAPI.ts (core) remove metrics 2020-09-29 18:57:56 -04:00
gristTypes.ts (core) visualize simple differences between documents 2020-09-29 15:29:40 -04:00
gristUrls.ts (core) With ?aclUI=1 in the URL, UserManager for documents includes a button to open 'Access Rules' 2020-09-29 23:15:20 -04:00
gutil.ts (core) support ?embed=true and &style=light for a clean embed experience 2020-08-14 13:34:38 -04:00
InactivityTimer.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
KeyedOps.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
LoginSessionAPI.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
LoginState.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
marshal.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
MemBuffer.js (core) move home server into core 2020-07-21 20:39:10 -04:00
NumberFormat.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
orgNameUtils.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
parseDate.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
plugin.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
PluginInstance.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
Prefs.ts (core) Show a welcome card when a user opens an example for the first time. 2020-09-09 23:08:50 -04:00
RefCountMap.ts (core) Improve focus and keyboard shortcuts in modals. 2020-10-03 22:56:00 -04:00
resetOrg.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
roles.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
schema.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
sharing.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
SortFunc.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
StringUnion.ts (core) Implement updated DocMenu UI: list/card mode and sort mode. 2020-08-19 11:31:42 -04:00
TableData.ts (core) With ?aclUI=1 in the URL, UserManager for documents includes a button to open 'Access Rules' 2020-09-29 23:15:20 -04:00
TabularDiff.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
tbind.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
TestState.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
timeFormat.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
tpromisified.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
tsconfig.json (core) more grist-core cleanup 2020-07-23 16:21:08 -04:00
tsvFormat.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
uploads.ts (core) move home server into core 2020-07-21 20:39:10 -04:00
urlUtils.ts (core) remove metrics 2020-09-29 18:57:56 -04:00
UserAPI.ts (core) mitigate csrf by requiring custom header for unsafe methods 2020-10-08 14:19:25 -04:00
UserConfig.ts (core) remove metrics 2020-09-29 18:57:56 -04:00
ValueFormatter.ts (core) Improve object serialization, to help get RECORD data to Custom Widgets. 2020-08-21 18:33:28 -04:00