Google Git
Sign in
vanadium / release.go.x.ref / 39e79d9f54581b7ec6b2ffa7d3a7017f4caa4240
commit39e79d9f54581b7ec6b2ffa7d3a7017f4caa4240[log] [tgz]
authorBogdan Caprita <caprita@google.com>Fri May 27 16:37:29 2016 -0700
committerBogdan Caprita <caprita@google.com>Fri May 27 16:37:29 2016 -0700
treefc5ec531cf30dcbe6eb9925aec27c2244bf29f74
parent038f61d5a4c4d4a90429e61caf57bcf2da87b840 [diff]
allocatord: relax csrf requirement for non-mutating handlers

With the debug browser integration, it's no longer practical to pass
csrf tokens around for all requests and handlers.  Consequently, we're
now going to only require csrf tokens for mutating requests.  For
non-mutating requests, the redirect through the oauth flow was not
adding much security (Asim and I discussed this a while back).

For now, keep the CSRF token in the email cookie so that it's easily available
for constructing mutating URLs.  It could be its own cookie in theory.

Change-Id: Ia6179947d19a59ffcd484f56db5d34351087ce83
7 files changed
tree: fc5ec531cf30dcbe6eb9925aec27c2244bf29f74
  1. cmd/
  2. examples/
  3. internal/
  4. lib/
  5. runtime/
  6. services/
  7. test/
  8. .gitignore
  9. AUTHORS
  10. CONTRIBUTING.md
  11. CONTRIBUTORS
  12. envvar.go
  13. envvar_test.go
  14. LICENSE
  15. PATENTS
  16. README.md
  17. VERSION
README.md

Vanadium

This repository contains a reference implementation of the Vanadium APIs.

Unlike the APIs in https://github.com/vanadium/go.v23, which promises to provide backward compatibility this repository makes no such promises.