Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: CSRF cookies allow the use of signatures #88

Merged
merged 1 commit into from
Jan 4, 2024

Conversation

sullay
Copy link
Contributor

@sullay sullay commented Jan 4, 2024

Checklist
  • npm test passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines
Affected core subsystem(s)

egg-security

Description of change

Double-cookie submission using signed cookies to prevent CSRF token tampering through XSS vulnerabilities on the same site but different domains, bypassing CSRF verification of their own domain.

@fengmk2 fengmk2 self-assigned this Jan 4, 2024
Copy link

codecov bot commented Jan 4, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (a178552) 97.22% compared to head (8b0f33e) 97.23%.
Report is 1 commits behind head on master.

Additional details and impacted files
@@           Coverage Diff           @@
##           master      #88   +/-   ##
=======================================
  Coverage   97.22%   97.23%           
=======================================
  Files          32       32           
  Lines        1334     1338    +4     
  Branches      337      337           
=======================================
+ Hits         1297     1301    +4     
  Misses         37       37           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@fengmk2 fengmk2 changed the title feat: CSRF cookies allow the use of signatures. feat: CSRF cookies allow the use of signatures Jan 4, 2024
@fengmk2 fengmk2 merged commit da1b532 into eggjs:master Jan 4, 2024
13 of 15 checks passed
fengmk2 pushed a commit that referenced this pull request Jan 4, 2024
[skip ci]

## [3.2.0](v3.1.0...v3.2.0) (2024-01-04)

### Features

* CSRF cookies allow the use of signatures ([#88](#88)) ([da1b532](da1b532))
Copy link

github-actions bot commented Jan 4, 2024

🎉 This PR is included in version 3.2.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants