[Owncloud] Cross-site request forgery protection

Thomas Tanghus thomas at tanghus.net
Fri Jun 8 16:52:59 UTC 2012


On Friday 08 June 2012 16:42 Frank Karlitschek wrote:
> Hi everybody,
> 
> we have to do something in ownCloud against the CSRF thread. We have some
> protection in some areas already but I think we need a general solution
> here. We have to check if a GET request, form POST or Ajax request really
> comes from the user and ownCloud itself or if it was triggered by an evil
> JS script of flash applet from an remote site.
 
> Opinions? Does this make sense?

It sounds like a straight forward way to do it. Labor intensive to implement 
to start with but easy to remember once you're used to it.
 
> And does someone volunteer to help me to implement all this? :-)

Could we compile a list of all (core) apps and other parts that need going 
through? I'll surely take Contacts, but just write me up for some other stuff 
as well.

-- 
Med venlig hilsen / Best Regards

Thomas Tanghus



More information about the Owncloud mailing list