incubator-allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From john...@apache.org
Subject [3/3] git commit: [#4571] only apply set-cookie for csrf protection when serving html pages
Date Tue, 09 Oct 2012 20:53:05 GMT
[#4571] only apply set-cookie for csrf protection when serving html pages

Only HTML content needs this cookie, since it's used via JS on web forms to
prevent CSRF.  Removing it from all other content (e.g. icons, attachments)
makes those response more cacheable.


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/2074e912
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/2074e912
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/2074e912

Branch: refs/heads/master
Commit: 2074e912da8c1f5d6571d3dd429033803eca436f
Parents: f5556c1
Author: Dave Brondsema <dbrondsema@geek.net>
Authored: Tue Oct 9 19:13:38 2012 +0000
Committer: Dave Brondsema <dbrondsema@geek.net>
Committed: Tue Oct 9 19:13:38 2012 +0000

----------------------------------------------------------------------
 Allura/allura/lib/custom_middleware.py |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/2074e912/Allura/allura/lib/custom_middleware.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 65d1926..6075653 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -108,9 +108,10 @@ class CSRFMiddleware(object):
                 log.warning('CSRF attempt detected, %r != %r', cookie, param)
                 environ.pop('HTTP_COOKIE', None)
         def session_start_response(status, headers, exc_info = None):
-            headers.append(
-                ('Set-cookie',
-                 str('%s=%s; Path=/' % (self._cookie_name, cookie))))
+            if dict(headers).get('Content-Type', '').startswith('text/html'):
+                headers.append(
+                    ('Set-cookie',
+                     str('%s=%s; Path=/' % (self._cookie_name, cookie))))
             return start_response(status, headers, exc_info)
         return self._app(environ, session_start_response)
 


Mime
View raw message