diff options
| author | Chris Meyers <chrismeyersfsu@users.noreply.github.com> | 2024-03-11 22:06:09 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-11 22:06:09 +0100 |
| commit | ad96a92fa7e96e6d0e15be7b5cc4e3599823a84b (patch) | |
| tree | 559c12b3585a0a5b4379e8a6b71e8e5726ed5cb3 /licenses/jaraco-classes.txt | |
| parent | English string validation to error code validation (diff) | |
| download | awx-ad96a92fa7e96e6d0e15be7b5cc4e3599823a84b.tar.xz awx-ad96a92fa7e96e6d0e15be7b5cc4e3599823a84b.zip | |
Align Orign and Host header (#14970)
* Align Orign and Host header
* Before this change the Host: header was runserver. Seems to be set by
nginx upstream flow.
* After this change we explicitly set the Host: header
* More about CSRF checks ...
CSRF checks that Origin == Host. Think about how the browser works.
<browser goes to awx.com>
"I'm executing javascript that I downloaded from awx.com (ORIGIN) and
I'm making an XHR POST request to awx.com (HOST)"
Server verifies; Host: header == Origin: header; OK!
vs. the malicious case.
<hacker injects javascript code into google.com>
<browser goes to google.com>
"I'm executing javascript that I downloaded from google.com (ORIGIN)
and I'm making an XHR POST request to awx.com (HOST)"
Server verifies; Host: header != Origin: header; NOT OK!
* Update awx/settings/development.py
---------
Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
Diffstat (limited to 'licenses/jaraco-classes.txt')
0 files changed, 0 insertions, 0 deletions