[Owncloud] Cross-site request forgery protection
Thomas Tanghus
thomas at tanghus.net
Fri Jun 8 16:52:59 UTC 2012
On Friday 08 June 2012 16:42 Frank Karlitschek wrote:
> Hi everybody,
>
> we have to do something in ownCloud against the CSRF thread. We have some
> protection in some areas already but I think we need a general solution
> here. We have to check if a GET request, form POST or Ajax request really
> comes from the user and ownCloud itself or if it was triggered by an evil
> JS script of flash applet from an remote site.
> Opinions? Does this make sense?
It sounds like a straight forward way to do it. Labor intensive to implement
to start with but easy to remember once you're used to it.
> And does someone volunteer to help me to implement all this? :-)
Could we compile a list of all (core) apps and other parts that need going
through? I'll surely take Contacts, but just write me up for some other stuff
as well.
--
Med venlig hilsen / Best Regards
Thomas Tanghus
More information about the Owncloud
mailing list