kotovalexarian-likes-github
/
sinatra
mirror of https://github.com/sinatra/sinatra
1
0
Fork 0
Code Releases Activity
4,313 Commits 2 Branches 149 Tags 10 MiB
Commit Graph

12 Commits

Author SHA1 Message Date
Jordan Owens a2fe3e698b Add allow_if option to bypass json csrf protection 2017-03-12 23:00:26 -04:00
Zachary Scott 66786bac2b Document `:origin_whitelist` option for HttpOrigin and pointer from JsonCsrf 
closes #63
 2016-08-01 16:32:11 +09:00
Jens Ulferts 4d17ca61e4 closes body on prevented JsonCsrf 2014-02-28 13:34:13 +01:00
Konstantin Haase 5d4f1d8ba3 let json_csrf always deny, fixes #50 2013-10-21 11:38:36 +02:00
Matteo Centenaro fa58e053f1 FIX: check for nil response on JsonCsrf protection 
Some reaction do not return a response, think for example drop_session. In that case a nil response
would be returned, see issue #50.
 2013-04-08 11:23:05 +02:00
Konstantin Haase 8a2514674c xhr requests cannot be used for the json attack, fixes #39 2013-03-01 15:43:27 +11:00
Bjørge Næss fd4687f331 Bypass referer check if Origin header is given 2012-09-05 10:08:09 +02:00
Chris Mytton d528b5aa6c Show warnings for a `JsonCsrf` attack. 
Since the `JsonCsrf` middleware overrides the `call` method, the default
warning is never displayed. I couldn't figure out why sinatra was
returning a 403 for CORS and JSONP requests, tracked it down to this.
 2011-12-02 19:57:46 +00:00
Fojas 34003df86e Fixed call strip call on missing Content-Type header 2011-08-11 09:38:46 -05:00
Corey Ward 8f12dcd671 Spelling: volnurable -> vulnerable 2011-06-30 09:31:09 -07:00
Konstantin Haase 6a8d4a0359 fix superclass 
this didn't matter, since it overrides call
 2011-06-20 09:22:15 +02:00
Konstantin Haase 62dd794011 add JSON CSRF protection 2011-06-19 15:26:39 +02:00