Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orion-dev] Bug 435067 - XSRF protection in webdavImpl.js

Hi Erwin,

webDavImpl.js is part of the WebDAV client plugin. The plugin's purpose is to be hosted on an existing WebDAV server, enabling Orion to connect to the DAV server as a file system.

I don't think it makes sense to add XSRF logic to the client plugin, until we know that the back-end DAV server is likely to support XSRF protection using the same cookie+token approach that Orion is using. This is out of our control, and I'm not even sure how cookies relate to DAV in general. So I don't see this as a high priority.


On Fri, Oct 17, 2014 at 8:10 AM, Margewitsch, Erwin <erwin.margewitsch@xxxxxxx> wrote:

During the work to implement XSRF protection [1] in orion I found one more _javascript_ file which is using directly an XMLHttpRequest object with a method different from ‘get’. So in this place I would like to add XSRF Protection like I did in the other places (see [2]).

Can you give me some hints how to do this for webdavImpl.js? I would like to reuse my code from [orion/xsrfUtils] (see [2]) but I don’t know how…


orion-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top