]> git.mxchange.org Git - quix0rs-gnu-social.git/commit
projects / quix0rs-gnu-social.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c67b89e) | patch
Verify that authenticated API calls are made from our domain name.
authorMikael Nordfeldth <mmn@hethane.se>
Mon, 22 Feb 2016 14:19:10 +0000 (15:19 +0100)
committerMikael Nordfeldth <mmn@hethane.se>
Mon, 22 Feb 2016 14:19:10 +0000 (15:19 +0100)
commit5f7032dfee1fd202c14e76a9f8b37af35d584901
tree4de27a82863f59a8b1e6e1d2c04dcf076799f644tree | snapshot
parentc67b89e56bf0f90730a9e22beca7e1bd41fc26c3commit | diff
Verify that authenticated API calls are made from our domain name.

Evil forms on other websites could otherwise potentially be configured
to have action="https://gnusocial.example/api/statuses/update.json" or
whatever. XHR is already blocked with CORS stuff.

Really, why do browsers allow cross domain POSTs at all? Sigh. The web.
lib/apiauthaction.php diff | blob | history
lib/util.php diff | blob | history
This is my personal clone from the wonderful software GNUSocial. I may fix or break things here, so use it on your own risk. :-)