From cdb8f4bc617ff4d6659ef29d010327586ec75f93 Mon Sep 17 00:00:00 2001 From: Chocobo1 Date: Fri, 2 Jun 2017 18:17:51 +0800 Subject: [PATCH] [WebUI] relax CSRF defense. Closes #6882. Allow HTTP request which has neither Origin nor Referer header included --- src/webui/abstractwebapplication.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/webui/abstractwebapplication.cpp b/src/webui/abstractwebapplication.cpp index 6a999118a..35870b6b9 100644 --- a/src/webui/abstractwebapplication.cpp +++ b/src/webui/abstractwebapplication.cpp @@ -392,9 +392,9 @@ bool AbstractWebApplication::isCrossSiteRequest(const Http::Request &request) co const QString refererValue = request.headers.value(Http::HEADER_REFERER); if (originValue.isEmpty() && refererValue.isEmpty()) { - if ((request.path == QLatin1String("/")) || (request.path == QLatin1String("/favicon.ico"))) - return false; // normal request - return true; + // owasp.org recommends to block this request, but doing so will inevitably lead Web API users to spoof headers + // so lets be permissive here + return false; } // sent with CORS requests, as well as with POST requests