commit | 39e79d9f54581b7ec6b2ffa7d3a7017f4caa4240 | [log] [tgz] |
---|---|---|
author | Bogdan Caprita <caprita@google.com> | Fri May 27 16:37:29 2016 -0700 |
committer | Bogdan Caprita <caprita@google.com> | Fri May 27 16:37:29 2016 -0700 |
tree | fc5ec531cf30dcbe6eb9925aec27c2244bf29f74 | |
parent | 038f61d5a4c4d4a90429e61caf57bcf2da87b840 [diff] |
allocatord: relax csrf requirement for non-mutating handlers With the debug browser integration, it's no longer practical to pass csrf tokens around for all requests and handlers. Consequently, we're now going to only require csrf tokens for mutating requests. For non-mutating requests, the redirect through the oauth flow was not adding much security (Asim and I discussed this a while back). For now, keep the CSRF token in the email cookie so that it's easily available for constructing mutating URLs. It could be its own cookie in theory. Change-Id: Ia6179947d19a59ffcd484f56db5d34351087ce83
This repository contains a reference implementation of the Vanadium APIs.
Unlike the APIs in https://github.com/vanadium/go.v23, which promises to provide backward compatibility this repository makes no such promises.