coop/rose-ash
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mark IO proxy endpoint as CSRF-exempt (read-only, no state mutation)

Browse Source 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
giles
2026-03-07 09:50:23 +00:00
parent ff2ef29d8a
commit 0d6b959045
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
shared/sx/pages.py
View File

@@ -563,6 +563,9 @@ def mount_io_endpoint(app: Any, service_name: str) -> None:
if isinstance(_val, _Comp) and _val.io_refs:
_ALLOWED_IO.update(_val.io_refs)
from shared.browser.app.csrf import csrf_exempt
@csrf_exempt
async def io_proxy(name: str) -> Any:
if name not in _ALLOWED_IO:
quart_abort(403)