-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
csrf protection in job_agent #47710
base: master
Are you sure you want to change the base?
csrf protection in job_agent #47710
Conversation
a74a272
to
783e182
Compare
return Response( | ||
text="Method not allowed", | ||
status=aiohttp.web.HTTPNotAllowed.status_code, | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we tell people that browser requests are not supported? Or do we purposely not expose this detail?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think there's meaningful value to hiding it although you are so far from a supported path if you wind up there. I can adjust the message.
72f620b
to
862526c
Compare
862526c
to
13a8b6a
Compare
55d11e3
to
65c48f2
Compare
Signed-off-by: Richo Healey <richo@anyscale.com>
Signed-off-by: Richo Healey <richo@anyscale.com>
Signed-off-by: Richo Healey <richo@anyscale.com>
Signed-off-by: Richo Healey <richo@anyscale.com>
9372710
to
0c77509
Compare
r? @alanwguo
Why are these changes needed?
Prevent confused deputy attacks on the job_agent
Checks
git commit -s
) in this PR.scripts/format.sh
to lint the changes in this PR.method in Tune, I've added it in
doc/source/tune/api/
under thecorresponding
.rst
file.(Working on the checks!)