Merge pull request #6887 from Chocobo1/csrf_relax

[WebUI] relax CSRF defense. Closes #6882.
2025-01-11 07:18:08 +00:00 · 2017-06-14 02:37:33 +03:00 · 2017-06-14 02:37:33 +03:00 · fd05f5dec5
commit fd05f5dec5
parent fff6640127 cdb8f4bc61
1 changed files with 3 additions and 3 deletions
--- a/src/webui/abstractwebapplication.cpp
+++ b/src/webui/abstractwebapplication.cpp
@ -392,9 +392,9 @@ bool AbstractWebApplication::isCrossSiteRequest(const Http::Request &request) co
    const QString refererValue = request.headers.value(Http::HEADER_REFERER);

    if (originValue.isEmpty() && refererValue.isEmpty()) {
-        if ((request.path == QLatin1String("/")) || (request.path == QLatin1String("/favicon.ico")))
-            return false;  // normal request
-        return true;
+        // owasp.org recommends to block this request, but doing so will inevitably lead Web API users to spoof headers
+        // so lets be permissive here
+        return false;
    }

    // sent with CORS requests, as well as with POST requests