fix: on /rqlio, csrf is activaved only on multipart/form-data (!24) · Merge requests · cubicweb / cubes / rqlcontroller

Noé Gaumont requested to merge topic/default/csrf-signedrequest-auth into branch/default Aug 20, 2021

POST for application/json are safe from csrf but not multipart/form-data. CSRF protection is thus disabled on application/json (no matter the authentications method).

For multipart/form-data, there are 3 usecases:

multipart/form-data authenticated by cookies (webrowser), this requires csrf and this is handled by MultipartRqlIOController.
multipart/form-data anon user, this does not require csrf and this in handled by AnonMultipartRqlIOController
multipart/form-data authenticated with authorization, this does not requires csrf as there is an authentification. This is not handled here but in signed-request that implements the authentification.

fix: on /rqlio, csrf is activaved only on multipart/form-data

Merge request reports