Juan Hernandez has posted comments on this change. Change subject: restapi: Different realms for different URLs ......................................................................
Patch Set 2: The problem is CSRF protection. When webadmin authenticates to /ovirt-engine/api, it is authenticating for the ENGINE realm. As a side effect it is also authenticated for /api, because we use basic authentication and the realm is the same. Now if an attacker site tries to send a request to /ovirt-engine/api it will fail, because the browser will automatically send the session cookie, and the session is protected. But if the attacker site sends the request to /api instead, then it will succeed, because there isn't a session/cookie for /api, and CSRF protection doesn't apply in this case. -- To view, visit http://gerrit.ovirt.org/30222 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I36140bf236b7043f3b813863ce8db635012a11ce Gerrit-PatchSet: 2 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <juan.hernan...@redhat.com> Gerrit-Reviewer: Alexander Wels <aw...@redhat.com> Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com> Gerrit-Reviewer: Sandro Bonazzola <sbona...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: No _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
