beenull
/
linx-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
343 Commits 2 Branches 77 Tags 2.2 MiB
Commit Graph

9 Commits

Author SHA1 Message Date
andreimarcu 9847beeff5 Cleanup 2015-10-14 22:47:36 -04:00
andreimarcu 3c659601e2 Make it an option for post uploads 2015-10-14 20:40:25 -04:00
andreimarcu 9b724725b3 Blank referrers are allowed 2015-10-14 20:35:43 -04:00
mutantmonkey d138755806 do a proper same-origin check 
String prefix matching is hacky and provides insufficient checking if it
does not end with a /.
 2015-10-13 19:55:32 -07:00
mutantmonkey a3723d3665 short-circuit on origin header 
If the Origin header is present, we can check it and skip the other
checks.
 2015-10-12 01:23:06 -07:00
mutantmonkey a7ae455ac1 strict referrer check improvements 
* Always check Origin if it is present, regardless of headers sent
* Whitelist X-Requested-With header
 2015-10-12 00:28:04 -07:00
mutantmonkey cd83f9f0eb fix CSP referrer policy 
The policy of "referrer none" was incorrect and was nonfunctional. With
this change, the CSP referrer policy is set to origin, which
will causes only the origin to be sent for requests made from the main
site.

A fix was also needed for referrer checks in two places.
 2015-10-11 23:49:15 -07:00
mutantmonkey 39d874374d trim trailing / for origin checking 2015-10-11 20:06:14 -07:00
mutantmonkey 6ff181facb add strict referrer check for POST uploads 
This should protect against cross-site request forgery without the need
for cookies. It continues to allow requests with Linx-Delete-Key,
Linx-Expiry, or Linx-Randomize headers as these will not be set in the
case of cross-site requests.
 2015-10-08 20:27:04 -07:00