You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@allura.apache.org by jo...@apache.org on 2012/10/09 22:53:05 UTC

[3/3] git commit: [#4571] only apply set-cookie for csrf protection when serving html pages

[#4571] only apply set-cookie for csrf protection when serving html pages

Only HTML content needs this cookie, since it's used via JS on web forms to
prevent CSRF.  Removing it from all other content (e.g. icons, attachments)
makes those response more cacheable.


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/2074e912
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/2074e912
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/2074e912

Branch: refs/heads/master
Commit: 2074e912da8c1f5d6571d3dd429033803eca436f
Parents: f5556c1
Author: Dave Brondsema <db...@geek.net>
Authored: Tue Oct 9 19:13:38 2012 +0000
Committer: Dave Brondsema <db...@geek.net>
Committed: Tue Oct 9 19:13:38 2012 +0000

----------------------------------------------------------------------
 Allura/allura/lib/custom_middleware.py |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/2074e912/Allura/allura/lib/custom_middleware.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 65d1926..6075653 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -108,9 +108,10 @@ class CSRFMiddleware(object):
                 log.warning('CSRF attempt detected, %r != %r', cookie, param)
                 environ.pop('HTTP_COOKIE', None)
         def session_start_response(status, headers, exc_info = None):
-            headers.append(
-                ('Set-cookie',
-                 str('%s=%s; Path=/' % (self._cookie_name, cookie))))
+            if dict(headers).get('Content-Type', '').startswith('text/html'):
+                headers.append(
+                    ('Set-cookie',
+                     str('%s=%s; Path=/' % (self._cookie_name, cookie))))
             return start_response(status, headers, exc_info)
         return self._app(environ, session_start_response)