mirror of
https://github.com/ansible/awx.git
synced 2026-01-10 15:32:07 -03:30
ad96a92fa7
* Align Orign and Host header * Before this change the Host: header was runserver. Seems to be set by nginx upstream flow. * After this change we explicitly set the Host: header * More about CSRF checks ... CSRF checks that Origin == Host. Think about how the browser works. <browser goes to awx.com> "I'm executing javascript that I downloaded from awx.com (ORIGIN) and I'm making an XHR POST request to awx.com (HOST)" Server verifies; Host: header == Origin: header; OK! vs. the malicious case. <hacker injects javascript code into google.com> <browser goes to google.com> "I'm executing javascript that I downloaded from google.com (ORIGIN) and I'm making an XHR POST request to awx.com (HOST)" Server verifies; Host: header != Origin: header; NOT OK! * Update awx/settings/development.py --------- Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>