issue_comments
11 rows where author_association = "OWNER", issue = 637363686 and "updated_at" is on date 2020-06-18 sorted by updated_at descending
This data as json, CSV (advanced)
Suggested facets: created_at (date), updated_at (date)
issue 1
- Mechanism for skipping CSRF checks on API posts · 11 ✖
id | html_url | issue_url | node_id | user | created_at | updated_at ▲ | author_association | body | reactions | issue | performed_via_github_app |
---|---|---|---|---|---|---|---|---|---|---|---|
646308467 | https://github.com/simonw/datasette/issues/835#issuecomment-646308467 | https://api.github.com/repos/simonw/datasette/issues/835 | MDEyOklzc3VlQ29tbWVudDY0NjMwODQ2Nw== | simonw 9599 | 2020-06-18T21:12:50Z | 2020-06-18T21:12:50Z | OWNER | Problem there is Login CSRF attacks: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#login-csrf - I still want to perform CSRF checks on login forms, even though the user may not yet have any cookies. Maybe I can turn off CSRF checks for cookie-free requests but allow login forms to specifically opt back in to CSRF protection? |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
Mechanism for skipping CSRF checks on API posts 637363686 | |
646307083 | https://github.com/simonw/datasette/issues/835#issuecomment-646307083 | https://api.github.com/repos/simonw/datasette/issues/835 | MDEyOklzc3VlQ29tbWVudDY0NjMwNzA4Mw== | simonw 9599 | 2020-06-18T21:09:35Z | 2020-06-18T21:09:35Z | OWNER | So maybe one really easy fix here is to disable CSRF checks entirely for any request that doesn't have any cookies? Also suggested here: https://twitter.com/mrkurt/status/1273682965168603137 |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
Mechanism for skipping CSRF checks on API posts 637363686 | |
646288146 | https://github.com/simonw/datasette/issues/835#issuecomment-646288146 | https://api.github.com/repos/simonw/datasette/issues/835 | MDEyOklzc3VlQ29tbWVudDY0NjI4ODE0Ng== | simonw 9599 | 2020-06-18T20:26:22Z | 2020-06-18T20:26:31Z | OWNER | Useful tip from Carlton Gibson: https://twitter.com/carltongibson/status/1273680590672453632
|
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
Mechanism for skipping CSRF checks on API posts 637363686 | |
646217766 | https://github.com/simonw/datasette/issues/835#issuecomment-646217766 | https://api.github.com/repos/simonw/datasette/issues/835 | MDEyOklzc3VlQ29tbWVudDY0NjIxNzc2Ng== | simonw 9599 | 2020-06-18T17:55:54Z | 2020-06-18T17:56:04Z | OWNER | Idea: a mechanism where the |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
Mechanism for skipping CSRF checks on API posts 637363686 | |
646216934 | https://github.com/simonw/datasette/issues/835#issuecomment-646216934 | https://api.github.com/repos/simonw/datasette/issues/835 | MDEyOklzc3VlQ29tbWVudDY0NjIxNjkzNA== | simonw 9599 | 2020-06-18T17:54:14Z | 2020-06-18T17:54:14Z | OWNER |
|
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
Mechanism for skipping CSRF checks on API posts 637363686 | |
646214158 | https://github.com/simonw/datasette/issues/835#issuecomment-646214158 | https://api.github.com/repos/simonw/datasette/issues/835 | MDEyOklzc3VlQ29tbWVudDY0NjIxNDE1OA== | simonw 9599 | 2020-06-18T17:48:45Z | 2020-06-18T17:48:45Z | OWNER | I wonder if it's safe to generically say "Don't do CSRF protection on any request that includes a |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
Mechanism for skipping CSRF checks on API posts 637363686 | |
646209520 | https://github.com/simonw/datasette/issues/835#issuecomment-646209520 | https://api.github.com/repos/simonw/datasette/issues/835 | MDEyOklzc3VlQ29tbWVudDY0NjIwOTUyMA== | simonw 9599 | 2020-06-18T17:39:30Z | 2020-06-18T17:40:53Z | OWNER |
Since |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
Mechanism for skipping CSRF checks on API posts 637363686 | |
646204308 | https://github.com/simonw/datasette/issues/835#issuecomment-646204308 | https://api.github.com/repos/simonw/datasette/issues/835 | MDEyOklzc3VlQ29tbWVudDY0NjIwNDMwOA== | simonw 9599 | 2020-06-18T17:32:41Z | 2020-06-18T17:32:41Z | OWNER | The only way I can think of for a view to opt-out of CSRF protection is for them to be able to reconfigure the |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
Mechanism for skipping CSRF checks on API posts 637363686 | |
646175055 | https://github.com/simonw/datasette/issues/835#issuecomment-646175055 | https://api.github.com/repos/simonw/datasette/issues/835 | MDEyOklzc3VlQ29tbWVudDY0NjE3NTA1NQ== | simonw 9599 | 2020-06-18T17:00:45Z | 2020-06-18T17:00:45Z | OWNER | Here's the Rails pattern for this: https://gist.github.com/maxivak/a25957942b6c21a41acd |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
Mechanism for skipping CSRF checks on API posts 637363686 | |
646172200 | https://github.com/simonw/datasette/issues/835#issuecomment-646172200 | https://api.github.com/repos/simonw/datasette/issues/835 | MDEyOklzc3VlQ29tbWVudDY0NjE3MjIwMA== | simonw 9599 | 2020-06-18T16:57:45Z | 2020-06-18T16:57:45Z | OWNER | I think there are a couple of steps to this one. The nature of CSRF is that it's about hijacking existing authentication credentials. If your Datasette site runs without any authentication plugins at all CSRF protection isn't actually useful. Some POST endpoints should be able to opt-out of CSRF protection entirely. A writable canned query that accepts anonymous poll submissions for example might determine that CSRF is not needed. If a plugin adds This means I need two new mechanisms:
|
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
Mechanism for skipping CSRF checks on API posts 637363686 | |
646151706 | https://github.com/simonw/datasette/issues/835#issuecomment-646151706 | https://api.github.com/repos/simonw/datasette/issues/835 | MDEyOklzc3VlQ29tbWVudDY0NjE1MTcwNg== | simonw 9599 | 2020-06-18T16:36:23Z | 2020-06-18T16:36:23Z | OWNER | Tweeted about this here: https://twitter.com/simonw/status/1273655053170077701 |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
Mechanism for skipping CSRF checks on API posts 637363686 |
Advanced export
JSON shape: default, array, newline-delimited, object
CREATE TABLE [issue_comments] ( [html_url] TEXT, [issue_url] TEXT, [id] INTEGER PRIMARY KEY, [node_id] TEXT, [user] INTEGER REFERENCES [users]([id]), [created_at] TEXT, [updated_at] TEXT, [author_association] TEXT, [body] TEXT, [reactions] TEXT, [issue] INTEGER REFERENCES [issues]([id]) , [performed_via_github_app] TEXT); CREATE INDEX [idx_issue_comments_issue] ON [issue_comments] ([issue]); CREATE INDEX [idx_issue_comments_user] ON [issue_comments] ([user]);
user 1