cmd/browser: strengthen cross-site request forgery prevention

This extends XSRF token checking to the startup method and when fetching
Upspin content. The latter is particularly important as tricking someone
into retrieving a file from Upspin space could lead them to trigger some
dynamic interaction with an Upspin server, which could be bad.

We now generate a single access token for all browser XHR requests, and
individual file tokens for accessing specific Upspin paths.

We provide the access token in the URL that the browser opens, so that
it's not possible to obtain the token by sending an HTTP request to the
server. This makes it less likely that a malicious actor could make
requests to the server and therefore act as the Upspin user.

Change-Id: Ie63f66dfd137d3364993d5427de6a4c3c07aafd1
Reviewed-on: https://upspin-review.googlesource.com/12420
Reviewed-by: Rob Pike <r@golang.org>
2 files changed
tree: 984cb203b2bd9d17dc14ffe3b79348ec452cbee5
  1. .travis.yml
  2. AUTHORS
  3. CONDUCT.md
  4. CONTRIBUTING.md
  5. CONTRIBUTORS
  6. LICENSE
  7. PATENTS
  8. README.md
  9. client/
  10. cmd/
  11. codereview.cfg
  12. filesystem/
README.md

Upspin exp repository

This repository contains components that are experimental or under development.

See the master repository for more information.