Add XSRF protection for POST requests

[?]
Oct 20, 2016, 2:11 PM
2P35LNRY3ZWGLARBNWLQEW2QPS3CTK4Z677ZZYFX4GLVNLUONYBAC

Dependencies

  • [2] LZVO64YG Merge in the first bits of the API work
  • [*] J5UVLXOK * Start of a basic Catalyst web interface.

Change contents

  • edit in src/lib/Hydra/Controller/Root.pm at line 63
    [2.21385]
    [2.21385]
    # XSRF protection: require POST requests to have the same origin.
    if ($c->req->method eq "POST") {
    my $referer = $c->req->header('Origin');
    $referer //= $c->req->header('Referer');
    my $base = $c->req->base;
    error($c, "POST requests should come from ‘$base’")
    unless defined $referer && $referer eq $base;
    }