aurora-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bhuvan Arumugam (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AURORA-705) CSRF protection for aurora web interface
Date Fri, 12 Sep 2014 06:59:33 GMT
Bhuvan Arumugam created AURORA-705:
--------------------------------------

             Summary: CSRF protection for aurora web interface
                 Key: AURORA-705
                 URL: https://issues.apache.org/jira/browse/AURORA-705
             Project: Aurora
          Issue Type: Task
          Components: Scheduler
    Affects Versions: 0.5.0
            Reporter: Bhuvan Arumugam


The aurora web requests don't include {{X-CSRF-TOKEN}} header or {{CSRF-TOKEN}} cookie. These
2 fields in http request are necessary to protect users from cross site request fraud.

Similarly, the {{CorsFilter}} on server side should allow this header. Looks like {{com.google.common.net.HttpHeaders}}
library used to manage headers don't support adding {{X-CSRF-Token}} header in {{Access-Control-Allowed-Headers}}.

Considering that angularjs and scheduler interact using POST for most endpoints, using thrfit/{{XMLHttpRequest}}
it's important to protect against CSRF frauds.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message