You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2019/07/27 01:04:06 UTC
[GitHub] [incubator-superset] graceguo-supercat opened a new pull request
#7935: [feature flag] Enforce csrf protection on explore_json endpoint
graceguo-supercat opened a new pull request #7935: [feature flag] Enforce csrf protection on explore_json endpoint
URL: https://github.com/apache/incubator-superset/pull/7935
### CATEGORY
Choose one
- [ ] Bug Fix
- [x] Enhancement (new features, refinement)
- [ ] Refactor
- [ ] Add tests
- [ ] Build / Development Environment
- [ ] Documentation
### SUMMARY
This PR is to resume the work in #7449. For some security concerns, we need to enforce CSRF protection on query request to `explore_json` endpoint.
So I want to add a new feature flag: `ENABLE_EXPLORE_JSON_CSRF_PROTECTION`. When `ENABLE_EXPLORE_JSON_CSRF_PROTECTION` is set to true, user cannot make POST request to `explore_json`.
The default value for this feature `False` (current behavior), explore_json accepts both GET and POST request.
### TEST PLAN
send GET request to `explore_json`, you will get `405 Method Not Allowed` exception.
### REVIEWERS
@DiggidyDave @betodealmeida @john-bodley
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org