mirror of
https://github.com/opf/openproject.git
synced 2026-06-14 03:30:14 +00:00
Jan Sandbrink
0383ae171c
This warden strategy is primarily used to allow APIv3 requests from the browser, which only authenticates using its session cookie. Since this is susceptible to cross-site-request-forgery, prevention of CSRF must take place. This was so far only ensured through the usage of the X-Requested-With header. When a client sent along this header, the server could know that a CORS-preflight request must have been made and thus the browser most certainly has validated that the request is valid according to CORS rules. However, the header itself is a non-standard header and while some JavaScript frameworks add it to requests, not all of them do. For us this was practically visible on the API docs hosted under `/api/docs`. The solution is to expect the browser to send the Sec-Fetch-Site header with a value of same-origin. This header can't be set through JavaScript, but only by the browser and the value "same-origin" ensures that scheme, host and port are the same for requester and requested endpoint, thus eliminating CSRF concerns. This feature is widely supported by all major browsers, the last of which was Safari which added support 3 years ago. We might want to consider dropping the check for X-Requested-With entirely, since it should be superfluous. For now it was left in place for greater compatibility.