Jordan Owens
a2fe3e698b
Add allow_if option to bypass json csrf protection
2017-03-12 23:00:26 -04:00
Zachary Scott
66786bac2b
Document `:origin_whitelist` option for HttpOrigin and pointer from JsonCsrf
...
closes #63
2016-08-01 16:32:11 +09:00
Jens Ulferts
4d17ca61e4
closes body on prevented JsonCsrf
2014-02-28 13:34:13 +01:00
Konstantin Haase
5d4f1d8ba3
let json_csrf always deny, fixes #50
2013-10-21 11:38:36 +02:00
Matteo Centenaro
fa58e053f1
FIX: check for nil response on JsonCsrf protection
...
Some reaction do not return a response, think for example drop_session. In that case a nil response
would be returned, see issue #50 .
2013-04-08 11:23:05 +02:00
Konstantin Haase
8a2514674c
xhr requests cannot be used for the json attack, fixes #39
2013-03-01 15:43:27 +11:00
Bjørge Næss
fd4687f331
Bypass referer check if Origin header is given
2012-09-05 10:08:09 +02:00
Chris Mytton
d528b5aa6c
Show warnings for a `JsonCsrf` attack.
...
Since the `JsonCsrf` middleware overrides the `call` method, the default
warning is never displayed. I couldn't figure out why sinatra was
returning a 403 for CORS and JSONP requests, tracked it down to this.
2011-12-02 19:57:46 +00:00
Fojas
34003df86e
Fixed call strip call on missing Content-Type header
2011-08-11 09:38:46 -05:00
Corey Ward
8f12dcd671
Spelling: volnurable -> vulnerable
2011-06-30 09:31:09 -07:00
Konstantin Haase
6a8d4a0359
fix superclass
...
this didn't matter, since it overrides call
2011-06-20 09:22:15 +02:00
Konstantin Haase
62dd794011
add JSON CSRF protection
2011-06-19 15:26:39 +02:00