gluon

nils/gluon

History

Matthias Schiffer 1837b1e2b3 gluon-web: prohibit cross-origin POST As gluon-web uses standard multipart/form-data requests, browsers don't enforce any cross-origin restrictions. To prevent malicious injection of POST requests into the config mode, match the Origin header against the Host header of the request. (cherry picked from commit `a83466be6e`)	2022-02-03 17:08:07 +01:00
..
lib/lua/gluon/web	gluon-web: prohibit cross-origin POST	2022-02-03 17:08:07 +01:00

Matthias Schiffer 1837b1e2b3 gluon-web: prohibit cross-origin POST

As gluon-web uses standard multipart/form-data requests, browsers don't
enforce any cross-origin restrictions. To prevent malicious injection of
POST requests into the config mode, match the Origin header against the
Host header of the request.

(cherry picked from commit a83466be6e)

2022-02-03 17:08:07 +01:00

lib/lua/gluon/web gluon-web: prohibit cross-origin POST 2022-02-03 17:08:07 +01:00