[Owncloud] CSRF behaviour is annoying

[Thomas Tanghus]

Hi Christian

On Tuesday 18 September 2012 12:22 you wrote:
> > On Sunday 16 September 2012 14:40:47 you wrote:
> > Since everyone seems to agree that it's the best solution, and there's
> > working script for it, should we add it to core? I guess it can be
> > categorized as a bug fix?
> > 
> > Christian, are you up for it?
> 
> Um, ok, I can take a look at it, sure.
> 
> The two scripts themselves are trivial. But a decision has to be made which
> I feel not authorized to take:

I hope you don't mind me forwarding this to the mailing list, both for getting 
the final ACK for it, and maybe someone would grant you push privileges to the 
repositories - anyone?

I'm leaving for vacation tonight and wont be back until Friday 28 otherwise I 
will be glad to share my limited git knowledge ;)

> I sketched two stages in my solution. The difference from a technical point
> of view is wether the ajax request required to refresh the token should be
> protected itself by the current token or not. This has to be coded in the
> ajax hook. That strategy is fine for most situations and appears to be
> safe. However that fails if the client had been cut of from internet for a
> while, for example because of having been suspended. In those cases a
> refresh still is possible without annoying the user, but only if the
> refresh process itself is _not_ protected by a token.
> I myself came to the conclusion that this is safe enough. But there are
> certainly more experienced people around who might want to take a closer
> look at that.



> Another thing:
> as far as I know I have no write access to the OC git I guess. And I am not
> even familiar with git, since I use svn myself. So I would need some
> 'mentor' for this... Thomas?
-- 
Med venlig hilsen / Best Regards

Thomas Tanghus