-
-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Xor CSRF token #6798
Xor CSRF token #6798
Conversation
Signed-off-by: JohnNiang <[email protected]>
8066c80
to
8d5967d
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #6798 +/- ##
=========================================
Coverage 57.06% 57.06%
Complexity 3980 3980
=========================================
Files 710 710
Lines 23972 23972
Branches 1569 1569
=========================================
Hits 13680 13680
Misses 9680 9680
Partials 612 612 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Quality Gate passedIssues Measures |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: guqing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
What this PR does / why we need it:
This PR makes XOR operation for CSRF token and changes the CSRF cookie
HttpOnly
totrue
to forbid JavaScript from accessing the cookie.See https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#csrf-token-request-handler-breach for more details.
Special notes for your reviewer:
Does this PR introduce a user-facing change?