diff options
| author | NavaL <ayoyo@thoughtworks.com> | 2016-02-24 16:33:20 +0100 |
|---|---|---|
| committer | NavaL <mnandri@thoughtworks.com> | 2016-02-25 09:17:53 +0100 |
| commit | 9573bdca55ddc5488066d3af525e41ed1d872ea6 (patch) | |
| tree | 228ca246c306bd44faa37c01e52c6d7aefec1531 /web-ui/app/js/helpers | |
| parent | b79035b83e81e4fd654b587426083c6033e695ad (diff) | |
Backend and frontend protection against csrf attacks:
- root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login
- it will also add that cookie on single user mode
- initialize will still load all resources
- but they you cant access them if the csrf token do not match
- all ajax calls needs to add the token to the header
- non ajax get requests do not need xsrf token validation
- non ajax post will have to send the token in as a form input or in the content
Issue #612
Diffstat (limited to 'web-ui/app/js/helpers')
| -rw-r--r-- | web-ui/app/js/helpers/browser.js | 9 | ||||
| -rw-r--r-- | web-ui/app/js/helpers/monitored_ajax.js | 10 |
2 files changed, 14 insertions, 5 deletions
diff --git a/web-ui/app/js/helpers/browser.js b/web-ui/app/js/helpers/browser.js index e5be6667..23aa79c8 100644 --- a/web-ui/app/js/helpers/browser.js +++ b/web-ui/app/js/helpers/browser.js @@ -23,7 +23,14 @@ define([], function () { window.location.replace(url); } + function getCookie(name) { + var value = '; ' + document.cookie; + var parts = value.split('; ' + name + '='); + if (parts.length === 2) return parts.pop().split(';').shift(); + } + return { - redirect: redirect + redirect: redirect, + getCookie: getCookie }; }); diff --git a/web-ui/app/js/helpers/monitored_ajax.js b/web-ui/app/js/helpers/monitored_ajax.js index 1cb720de..dc182d58 100644 --- a/web-ui/app/js/helpers/monitored_ajax.js +++ b/web-ui/app/js/helpers/monitored_ajax.js @@ -36,6 +36,8 @@ define(['page/events', 'views/i18n', 'helpers/browser'], function (events, i18n, } }; + config.headers = {'X-XSRF-TOKEN': browser.getCookie('XSRF-TOKEN')}; + var originalComplete = config.complete; config.complete = function () { if (originalComplete) { @@ -46,15 +48,15 @@ define(['page/events', 'views/i18n', 'helpers/browser'], function (events, i18n, return $.ajax(url, config).fail(function (xmlhttprequest, textstatus, message) { if (!config.skipErrorMessage) { var msg = (xmlhttprequest.responseJSON && xmlhttprequest.responseJSON.message) || - messages[textstatus] || - 'unexpected problem while talking to server'; - on.trigger(document, events.ui.userAlerts.displayMessage, {message: i18n(msg)}); + messages[textstatus] || + 'unexpected problem while talking to server'; + on.trigger(document, events.ui.userAlerts.displayMessage, {message: i18n(msg), class: 'error'}); } if (xmlhttprequest.status === 302) { var redirectUrl = xmlhttprequest.getResponseHeader('Location'); browser.redirect(redirectUrl); - }else if (xmlhttprequest.status === 401) { + } else if (xmlhttprequest.status === 401) { browser.redirect('/'); } |