mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
bd6a54e901
Summary: For methods other than `GET`, `HEAD`, and `OPTIONS`, allow cookie-based authentication only if a certain custom header is present. Specifically, we check that `X-Requested-With` is set to `XMLHttpRequest`. This is somewhat arbitrary, but allows us to use https://expressjs.com/en/api.html#req.xhr. A request send from a browser that sets a custom header will prompt a preflight check, giving us a chance to check if the origin is trusted. This diff deals with getting the header in place. There will be more work to do after this: * Make sure that all important endpoints are checking origin. Skimming code, /api endpoint check origin, and some but not all others. * Add tests spot-testing origin checks. * Check on cases that authenticate differently. - Check the websocket endpoint - it can be connected to from an arbitrary site; there is per-doc access control but probably better to lock it down more. - There may be old endpoints that authenticate based on knowledge of a client id rather than cookies. Test Plan: added a test Reviewers: dsagal Reviewed By: dsagal Differential Revision: https://phab.getgrist.com/D2631 |
||
|---|---|---|
| .. | ||
| ActionBundle.ts | ||
| ActionDispatcher.ts | ||
| ActionGroup.ts | ||
| ActionRouter.ts | ||
| ActionSummary.ts | ||
| ActiveDocAPI.ts | ||
| ApiError.ts | ||
| arrayToString.ts | ||
| AsyncCreate.ts | ||
| AsyncFlow.ts | ||
| BaseAPI.ts | ||
| BasketClientAPI.ts | ||
| BigInt.ts | ||
| BillingAPI.ts | ||
| BinaryIndexedTree.js | ||
| BrowserSettings.ts | ||
| ColumnGetters.ts | ||
| declarations.d.ts | ||
| delay.ts | ||
| DisposableWithEvents.ts | ||
| DocActions.ts | ||
| DocData.ts | ||
| DocListAPI.ts | ||
| emails.ts | ||
| EncActionBundle.ts | ||
| ErrorWithCode.ts | ||
| Features.ts | ||
| Formula.ts | ||
| GristServerAPI.ts | ||
| gristTypes.ts | ||
| gristUrls.ts | ||
| gutil.ts | ||
| InactivityTimer.ts | ||
| KeyedOps.ts | ||
| LoginSessionAPI.ts | ||
| LoginState.ts | ||
| marshal.ts | ||
| MemBuffer.js | ||
| NumberFormat.ts | ||
| orgNameUtils.ts | ||
| parseDate.ts | ||
| plugin.ts | ||
| PluginInstance.ts | ||
| Prefs.ts | ||
| RefCountMap.ts | ||
| resetOrg.ts | ||
| roles.ts | ||
| schema.ts | ||
| sharing.ts | ||
| SortFunc.ts | ||
| StringUnion.ts | ||
| TableData.ts | ||
| TabularDiff.ts | ||
| tbind.ts | ||
| TestState.ts | ||
| timeFormat.ts | ||
| tpromisified.ts | ||
| tsconfig.json | ||
| tsvFormat.ts | ||
| uploads.ts | ||
| urlUtils.ts | ||
| UserAPI.ts | ||
| UserConfig.ts | ||
| ValueFormatter.ts | ||