From 9573bdca55ddc5488066d3af525e41ed1d872ea6 Mon Sep 17 00:00:00 2001 From: NavaL Date: Wed, 24 Feb 2016 16:33:20 +0100 Subject: Backend and frontend protection against csrf attacks: - root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login - it will also add that cookie on single user mode - initialize will still load all resources - but they you cant access them if the csrf token do not match - all ajax calls needs to add the token to the header - non ajax get requests do not need xsrf token validation - non ajax post will have to send the token in as a form input or in the content Issue #612 --- service/pixelated/resources/login_resource.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'service/pixelated/resources/login_resource.py') diff --git a/service/pixelated/resources/login_resource.py b/service/pixelated/resources/login_resource.py index f1d9c1e3..aca266cf 100644 --- a/service/pixelated/resources/login_resource.py +++ b/service/pixelated/resources/login_resource.py @@ -20,14 +20,13 @@ from xml.sax import SAXParseException from twisted.cred import credentials from twisted.internet import defer +from twisted.python.filepath import FilePath from twisted.web import util -from twisted.web.error import FlattenerError from twisted.web.http import UNAUTHORIZED, OK from twisted.web.resource import IResource, NoResource from twisted.web.server import NOT_DONE_YET from twisted.web.static import File from twisted.web.template import Element, XMLFile, renderElement, renderer -from twisted.python.filepath import FilePath from pixelated.adapter.welcome_mail import add_welcome_mail from pixelated.resources import BaseResource, UnAuthorizedResource, IPixelatedSession -- cgit v1.2.3