Allow cross site requests when safe to reduce xsrfKey fetch costs

During early page startup most of the queries we do are read-only. Those don't need XSRF protection, as we are only returning public (or nearly public) data to the client and XSRF tokens just get in the way, and provide no additional safety. Signed-off-by: Shawn O. Pearce <sop@google.com>
2008-12-30 17:44:55 -08:00
parent fb45bfa54a
commit 1fd2a8ecc3
3 changed files with 9 additions and 0 deletions
--- a/appjar/src/main/java/com/google/gerrit/client/account/AccountService.java
+++ b/appjar/src/main/java/com/google/gerrit/client/account/AccountService.java
@@ -19,6 +19,7 @@ import com.google.gerrit.client.reviewdb.AccountProjectWatch;
 import com.google.gerrit.client.reviewdb.ContributorAgreement;
 import com.google.gerrit.client.rpc.SignInRequired;
 import com.google.gwt.user.client.rpc.AsyncCallback;
+import com.google.gwtjsonrpc.client.AllowCrossSiteRequest;
 import com.google.gwtjsonrpc.client.RemoteJsonService;
 import com.google.gwtjsonrpc.client.VoidResult;

@@ -27,12 +28,14 @@ import java.util.Set;

 public interface AccountService extends RemoteJsonService {
  @SignInRequired
+  @AllowCrossSiteRequest
  void myAccount(AsyncCallback<Account> callback);

  @SignInRequired
  void changeDefaultContext(short newSetting, AsyncCallback<VoidResult> callback);

  @SignInRequired
+  @AllowCrossSiteRequest
  void myProjectWatch(AsyncCallback<List<AccountProjectWatchInfo>> callback);

  @SignInRequired
@@ -44,6 +47,7 @@ public interface AccountService extends RemoteJsonService {
      AsyncCallback<VoidResult> callback);

  @SignInRequired
+  @AllowCrossSiteRequest
  void myAgreements(AsyncCallback<AgreementInfo> callback);

  @SignInRequired
--- a/appjar/src/main/java/com/google/gerrit/client/changes/ChangeListService.java
+++ b/appjar/src/main/java/com/google/gerrit/client/changes/ChangeListService.java
@@ -20,6 +20,7 @@ import com.google.gerrit.client.reviewdb.Account;
 import com.google.gerrit.client.reviewdb.Change;
 import com.google.gerrit.client.rpc.SignInRequired;
 import com.google.gwt.user.client.rpc.AsyncCallback;
+import com.google.gwtjsonrpc.client.AllowCrossSiteRequest;
 import com.google.gwtjsonrpc.client.RemoteJsonService;
 import com.google.gwtjsonrpc.client.VoidResult;

@@ -27,13 +28,16 @@ import java.util.Set;

 public interface ChangeListService extends RemoteJsonService {
  /** Get the data to show {@link AccountDashboardScreen} for an account. */
+  @AllowCrossSiteRequest
  void forAccount(Account.Id id, AsyncCallback<AccountDashboardInfo> callback);

  /** Get the changes starred by the caller. */
+  @AllowCrossSiteRequest
  @SignInRequired
  void myStarredChanges(AsyncCallback<MineStarredInfo> callback);

  /** Get the ids of all changes starred by the caller. */
+  @AllowCrossSiteRequest
  @SignInRequired
  void myStarredChangeIds(AsyncCallback<Set<Change.Id>> callback);

--- a/appjar/src/main/java/com/google/gerrit/client/data/SystemInfoService.java
+++ b/appjar/src/main/java/com/google/gerrit/client/data/SystemInfoService.java
@@ -29,5 +29,6 @@ public interface SystemInfoService extends RemoteJsonService {
  void loadGerritConfig(AsyncCallback<GerritConfig> callback);

  @SignInRequired
+  @AllowCrossSiteRequest
  void contributorAgreements(AsyncCallback<List<ContributorAgreement>> callback);
 }