This repository was archived by the owner on Nov 9, 2017. It is now read-only.
This repository was archived by the owner on Nov 9, 2017. It is now read-only.
Security: CSRF possibility #24
Description
There is a possible attack using the API. As the session cookie is not protected, an attacker knowing endpoint URL can execute XHR using the authenticated user's credential without user's consent.
One possible way to solve this is removing session cookie from login API (which also requires a rewrote of the unit tests) and disable CORS credentials. The alternative could be token similar to OAuth2.
Another way is to validate CORS origin to only include the web interface and Cordova packaged app.