aea5d3e2fd
For XSRF protection, the REST API requires a special header "X-Gerrit-Auth" containing a token known only to the JS running on the server's domain. Previously, this was set as a JS literal in a <script> tag directly in the output served at /. To support a purely static JS application, we can't depend on injecting JS literals into the body of /. Instead, provide the XSRF token via a cookie on the response for /. Note that this only affects how the server communicates the XSRF token to the client; we still require clients to send the token back in the X-Gerrit-Auth header. The server must ignore an XSRF token cookie sent by the client, since the cookie will be sent on all requests, including possibly-forged cross-site requests. As a minor optimization and to avoid confusion when looking at request traces, the client code discards the cookie as soon as it is stored in a JS variable. Change-Id: Ie24051b48186d6f85bccadfe139e2103b4228cbe |
||
|---|---|---|
| .. | ||
| src | ||
| BUCK | ||