You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2015/08/12 20:29:45 UTC
[jira] [Commented] (COUCHDB-2769) Indicate when CSRF protection is
active
[ https://issues.apache.org/jira/browse/COUCHDB-2769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14693978#comment-14693978 ]
ASF GitHub Bot commented on COUCHDB-2769:
-----------------------------------------
GitHub user robertkowalski opened a pull request:
https://github.com/apache/couchdb-fauxton/pull/497
Add CSRF indicator
includes a lot of refactoring and bug fixes, click on each commit for less noise in the diff :)
main patch:
```
adds a small indicator to the sidebar if we are protected
against CSRF.
to test, comment `res.setHeader('x-couchdb-csrf-valid', 'true');`
in `tasks/couchserver.js` and browse without logging into fauxton
we have to modify the dev-server to test as the dev-version of
fauxton fetches the html templates through it with ajax, which is
disturbing for the detection.
this closes COUCHDB-2769
```
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/robertkowalski/couchdb-fauxton csrf-indicator
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/couchdb-fauxton/pull/497.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #497
----
commit a6a52a51a5c486deacbcb785c093c9705af21838
Author: Robert Kowalski <ro...@apache.org>
Date: 2015-08-12T17:34:03Z
fix removeHeaderLink function
`_.first` returns the first element of an array.
commit 5f380c9c0e3053ff3f776ac704a520c80f2f0fe6
Author: Robert Kowalski <ro...@apache.org>
Date: 2015-08-12T17:35:18Z
Refactor code
- use early returns
- fix formatting
commit 018d967b76ea47243845dfa674bc3c0d1545b0db
Author: Robert Kowalski <ro...@apache.org>
Date: 2015-08-12T18:22:41Z
refactor navbar rendering
commit 9d84a5be602637f7827aa9dd46a425398086ee64
Author: Robert Kowalski <ro...@apache.org>
Date: 2015-08-12T18:23:41Z
csrf: add CSRF indicator
adds a small indicator to the sidebar if we are protected
against CSRF.
to test, comment `res.setHeader('x-couchdb-csrf-valid', 'true');`
in `tasks/couchserver.js` and browse without logging into fauxton
we have to modify the dev-server to test as the dev-version of
fauxton fetches the html templates through it with ajax, which is
disturbing for the detection.
this closes COUCHDB-2769
----
> Indicate when CSRF protection is active
> ---------------------------------------
>
> Key: COUCHDB-2769
> URL: https://issues.apache.org/jira/browse/COUCHDB-2769
> Project: CouchDB
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: Fauxton
> Reporter: Robert Newson
> Assignee: Robert Kowalski
>
> Any request that was protected by CouchDB's native CSRF prevention system will return a X-CouchDB-CSRF-Valid response header with value "true".
> Indicate on every screen whether this happens or not. Doesn't have to be prominent but should always be present (indicating protected vs not protected clearly).
> Suggestion is the phrase "CSRF protected" appears in green vs "CSRF vulnerable" in red somewhere in the bottom left where Logout and logo live.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)