Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: add middleware for checking Cross-Site Request Forgery (CSRF) when trusted origins are specified via environment variable #4916

Merged
merged 11 commits into from
Oct 9, 2024

Conversation

RogerHYang
Copy link
Contributor

@RogerHYang RogerHYang commented Oct 8, 2024

resolves #4883

@dosubot dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Oct 8, 2024
@@ -107,6 +107,11 @@
"""
The duration, in minutes, before password reset tokens expire.
"""
ENV_PHOENIX_CSRF_TRUSTED_ORIGINS = "CSRF_TRUSTED_ORIGINS"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see CSRF_TRUSTED_ORIGINS from grafana

src/phoenix/server/app.py Fixed Show fixed Hide fixed
src/phoenix/config.py Outdated Show resolved Hide resolved
src/phoenix/server/app.py Outdated Show resolved Hide resolved
src/phoenix/server/app.py Show resolved Hide resolved
@RogerHYang RogerHYang force-pushed the csrf-trusted-origins branch 2 times, most recently from e61c4ae to 34ce718 Compare October 9, 2024 03:59
@RogerHYang RogerHYang changed the title fix: check csrf trusted origins when extracting referer from headers fix: add middleware for checking csrf trusted origins when specified via environment variable Oct 9, 2024
@RogerHYang RogerHYang changed the title fix: add middleware for checking csrf trusted origins when specified via environment variable fix: add middleware for checking Cross-Site Request Forgery (CSRF) when trusted origins are specified via environment variable Oct 9, 2024
src/phoenix/server/app.py Fixed Show fixed Hide fixed
src/phoenix/server/app.py Dismissed Show dismissed Hide dismissed
@RogerHYang RogerHYang merged commit 26f8e4b into main Oct 9, 2024
29 checks passed
@RogerHYang RogerHYang deleted the csrf-trusted-origins branch October 9, 2024 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
size:M This PR changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CSRF sanity check
2 participants