aurora-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bhuvan Arumugam (JIRA)" <>
Subject [jira] [Created] (AURORA-705) CSRF protection for aurora web interface
Date Fri, 12 Sep 2014 06:59:33 GMT
Bhuvan Arumugam created AURORA-705:

             Summary: CSRF protection for aurora web interface
                 Key: AURORA-705
             Project: Aurora
          Issue Type: Task
          Components: Scheduler
    Affects Versions: 0.5.0
            Reporter: Bhuvan Arumugam

The aurora web requests don't include {{X-CSRF-TOKEN}} header or {{CSRF-TOKEN}} cookie. These
2 fields in http request are necessary to protect users from cross site request fraud.

Similarly, the {{CorsFilter}} on server side should allow this header. Looks like {{}}
library used to manage headers don't support adding {{X-CSRF-Token}} header in {{Access-Control-Allowed-Headers}}.

Considering that angularjs and scheduler interact using POST for most endpoints, using thrfit/{{XMLHttpRequest}}
it's important to protect against CSRF frauds.

This message was sent by Atlassian JIRA

View raw message