Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict HTTP method the override can arrive in #3

Closed
dougwilson opened this issue May 7, 2014 · 2 comments
Closed

Restrict HTTP method the override can arrive in #3

dougwilson opened this issue May 7, 2014 · 2 comments
Labels
enhancement
Milestone
2.0.0

Comments

@dougwilson
Copy link
Contributor

This module will accept the method override from any method. It should probably be restricted to only certain methods (user configurable?) like only POST (the default?). The only real purpose for this module is to allow legacy systems to make a different method call than they are capable of, and really, every client can POST and POST requests typically contain bodies, so I don't see a use-case to accept method-overrides in other methods (you can always POST with no body as well).

@jonathanong @Fishrock123 @defunctzombie thoughts?
@Fishrock123
Copy link

Again, FWIW this is a response to http://blog.nibblesec.org/2014/05/nodejs-connect-csrf-bypass-abusing.html

Also see expressjs/csurf#8

@jonathanong
Copy link
Member

yeah it should only support POST. doesn't make sense to me to support other original methods.

@dougwilson dougwilson added this to the 2.0.0 milestone May 8, 2014
@Fishrock123 Fishrock123 mentioned this issue May 17, 2014
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
3 participants
@dougwilson @jonathanong @Fishrock123