hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-08 02:24:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use XSRF tokens for cross-site protections

Browse Source 
Removes all Referer checks, which have proven unreliable and have never been particularly strong

We can use XSRF on paths for more robust inter-path protections.

- `_xsrf` is added for forms via hidden input
- xsrf check is additionally applied to GET requests on API endpoints
This commit is contained in:
Min RK
2022-09-09 13:06:06 +02:00
parent 995264ffef
commit abe1136cba
22 changed files with 219 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
jsx/src/util/jhapiUtil.js
View File

@@ -1,7 +1,16 @@
const jhdata = window.jhdata || {};
const base_url = jhdata.base_url || "/";
const xsrfToken = jhdata.xsrf_token;
export const jhapiRequest = (endpoint, method, data) => {
let base_url = window.base_url || "/",
api_url = `${base_url}hub/api`;
return fetch(api_url + endpoint, {
let api_url = `${base_url}hub/api`;
let suffix = "";
if (xsrfToken) {
// add xsrf token to url parameter
var sep = endpoint.indexOf("?") === -1 ? "?" : "&";
suffix = sep + "_xsrf=" + xsrf_token;
}
return fetch(api_url + endpoint + suffix, {
method: method,
json: true,
headers: {