-
Notifications
You must be signed in to change notification settings - Fork 232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recommendation to support CSRF check in Atlassian products? #329
Comments
How about this?
|
That config works! Thanks, @fmarier . Am I sacrificing substantial privacy guards by loosening these policies up this much? |
With this config, you're essentially telling unrelated sites the hostname you came from. That's worst then telling unrelated sites nothing, but it's better than the default of telling them everything. With this config for example, ads on a news site can't use the |
@collinbarrett Does JIRA/Confluence work with this config?
|
Thanks @collinbarrett. I was asking so I could update my blog post with these new examples of broken websites that you have discovered. |
Likely related to #328 , but different enough that maybe opening a new issue is better. I currently use the below referer settings in user.js. However, Atlassian products (specifically JIRA and Confluence) show "XSRF check failed" in the Firefox console when the application makes some REST API POST calls. I was exploring some docs like here, but I am not super familiar with how CSRF works. Can anyone recommend how to try tweaking my user.js settings to support these applications? Maybe, @fmarier ?
Note that these apps are self-hosted and the API calls are made to the same domain and port on which the web application runs.
My Current Referer Config:
Screenshots of the API Call:
Thanks!
The text was updated successfully, but these errors were encountered: