Accept CSRF on CORS routes #31807
Accept CSRF on CORS routes #31807
Conversation
jotoeri
requested review from
nickvergessen,
icewind1991,
ChristophWurst,
juliusknorr and
come-nc
|
/backport to stable23 |
|
/backport to stable22 |
|
@juliushaertl since you did one of the previous PRs do you have any insight on the implication? |
|
Seems like a legit addition also after reading up a bit on the potential risks and discussion in regards to OCS/CORS/CSRF in owncloud/core#15894 Still some additional pair of eyes maybe from @PVince81 would be good I think. |
|
Any opinion, @PVince81 ? 😉 |
|
Anybody wanna have a look, before it only gets shifted further and further? 😢 |
jotoeri
force-pushed
the
fix/cors_csrf
branch
from
2ae0a30 to
f52d8ce
Compare
|
@nickvergessen @juliushaertl @eneiluj @miaulalala Anybody else here? I'm really sorry for asking again, but afaik rc1 is planned for thursday, no? And as we cannot restrict for patch minversion in apps, it'd be good to have it in there. Or are there any concerns, which block any reactions currently? |
|
/rebase |
Co-authored-by: Julius Härtl <[email protected]> Co-authored-by: Andreas Brinner <[email protected]> Signed-off-by: Jonas Rittershofer <[email protected]>
nextcloud-command
force-pushed
the
fix/cors_csrf
branch
from
f52d8ce to
c8b7a23
Compare
|
Error unrelated |
On Forms we got the request to allow CORS on our (OCS-)API routes. However, if i add the CORS Annotation to the OCS-Controller Methods, our internal calls to the API (with CSRF) do not work anymore.
This PR now enables to allow both, CSRF and the classical CORS requests on the OCS-routes.
Basically, this PR includes #31698 and takes a part out of #19354, since both is necessary to make it work. The latter imo initially had a similar intention like the current PR, but has been closed due to the discussion on another topic. 😉