Jeremiah Senkpiel
Jeremiah Senkpiel
@dougwilson isn't abstraction from parsers or whatever scheduled-ish for 2.0?
If it's JSON, I think it should be the json parser?
Ahh `form-data` > It probably makes sense for this module to be able to parse multipart forms. Yes, this would be nice. :)
FWIW this is a response to http://blog.nibblesec.org/2014/05/nodejs-connect-csrf-bypass-abusing.html From email, since yahoo's being stupid and not sending to @jonathanong > (dougwilson) > > I would like to draft a security section...
I think I like the idea of the original check returning a `403` the most.
@dougwilson -- checking for a body. ``` js if (hasbody(req) || ('GET' !== req.method && 'HEAD' !== req.method && 'OPTIONS' !== req.method) { checkCSRF() } ```
If any option, I'd add an option to still `checkCRSF()` or just `403`. I dunno if we should be that giving even that leeway though. This is CSRF prevention, it's...
If we are talking 2.0, docs needs to be landed first for sure. expressjs/csurf#7
> the title of this issue mentions `spawn_blocking` but the example uses `spawn_local`. Which API did you intend to open this issue on? Sorry, I must have mistyped. This is...
Oh, huh. I never thought to try `async_std::sync::Mutex`, I didn't realize it would have differences in `Send` bounds.