Remove now-unnecessary CSRF tokens (!472) · Merge requests · Warren Gifford / sourcegraph

Warren Gifford requested to merge remove-csrf-check into master Oct 20, 2018

Created by: sqs

The routes that are protected by CSRF tokens all only need to accept JSON post data. So we can remove CSRF tokens. This removes a lot of complexity in our security model (@slimsag, @keegancsmith, and I have spent time researching whether our CSRF tokens impl is correct, when it isn't actually being used for anything).

Note that this just removes CSRF tokens, not CORS or other CSRF protections.

See commit messages.

fix https://github.com/sourcegraph/enterprise/issues/11121
https://github.com/sourcegraph/sourcegraph/pull/241#issuecomment-427359458

Remove now-unnecessary CSRF tokens

Merge request reports