Skip to content
  • Laurent Peuch's avatar
    fix: on /rqlio, csrf is activaved only on multipart/form-data · 42202cdd7c57
    Laurent Peuch authored
    POST for application/json are safe from csrf but not multipart/form-data.
    CSRF protection is thus disabled on application/json (no matter the authentications method).
    For multipart/form-data, there are 3 usecases:
    1. multipart/form-data authenticated by cookies (webrowser), this requires
       csrf and this is handled by MultipartRqlIOController.
    2. multipart/form-data anon user, this does not require csrf and this in
       handled by AnonMultipartRqlIOController
    3. multipart/form-data authenticated with authorization, this does not
       requires csrf as there is an authentification. This is not handled here
       but in signed-request that implements the authentification.