datasette

remote/datasette

Fork 0

mirror of https://github.com/simonw/datasette.git synced 2026-06-02 07:07:00 +02:00

Commit graph

Author	SHA1	Message	Date
Simon Willison	a973e3ffa1	Normalize headers in CSRF checks, refs #2689	2026-04-14 19:24:38 -07:00
Simon Willison	028cc2446f	Don't allow cookies with Authorization: Bearer to bypass CSRF Refs #2689	2026-04-14 19:23:21 -07:00
Simon Willison	0b639a8122	Replace token-based CSRF with Sec-Fetch-Site header protection (#2689 ) - New CSRF protection middleware inspired by Go 1.25 and research by Filippo Valsorda - https://words.filippo.io/csrf/ - this replaces the old CSRF token based protection. - Removes all instances of `<input type="hidden" name="csrftoken" value="{{ csrftoken() }}">` in the templates - they are no longer needed. - Removes the `def skip_csrf(datasette, scope):` plugin hook defined in `datasette/hookspecs.py` and its documentation and tests. - Updated CSRF protection documentation to describe the new approach. - Upgrade guide now describes the CSRF change.	2026-04-14 17:11:36 -07:00

Author

SHA1

Message

Date

Simon Willison

a973e3ffa1

Normalize headers in CSRF checks, refs #2689

2026-04-14 19:24:38 -07:00

Simon Willison

028cc2446f

Don't allow cookies with Authorization: Bearer to bypass CSRF

Refs #2689

2026-04-14 19:23:21 -07:00

Simon Willison

0b639a8122

Replace token-based CSRF with Sec-Fetch-Site header protection (#2689 )

- New CSRF protection middleware inspired by Go 1.25 and research by Filippo Valsorda - https://words.filippo.io/csrf/ - this replaces the old CSRF token based protection.
- Removes all instances of `<input type="hidden" name="csrftoken" value="{{ csrftoken() }}">` in the templates - they are no longer needed.
- Removes the `def skip_csrf(datasette, scope):` plugin hook defined in `datasette/hookspecs.py` and its documentation and tests.
- Updated CSRF protection documentation to describe the new approach.
- Upgrade guide now describes the CSRF change.

2026-04-14 17:11:36 -07:00

3 commits