From bd42f5c2da1e9433196bf86069d04b6ea8e97b5f Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Fri, 10 Dec 2021 22:36:13 -0800 Subject: [PATCH] CRM_Utils_REST - Allow certain authentication styles to bypass the XMLHttpRequest requirement Docblocks indicate the theory behind which styles are allowed and which are prohibited. --- CRM/Utils/REST.php | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/CRM/Utils/REST.php b/CRM/Utils/REST.php index bf8a0104c0..b82866867d 100644 --- a/CRM/Utils/REST.php +++ b/CRM/Utils/REST.php @@ -630,12 +630,32 @@ class CRM_Utils_REST { /** * Does this request appear to be a web-service request? * + * This is used to mitigate CSRF risks. + * * @return bool - * TRUE if the current request appears to be web-service request (ie AJAX). - * FALSE if the current request appears to be a standalone browser page-view. + * TRUE if the current request appears to either XMLHttpRequest or non-browser-based. + * Indicated by either (a) custom headers like `X-Request-With`/`X-Civi-Auth` + * or (b) strong-secret-params that could theoretically appear in URL bar but which + * cannot be meaningfully forged for CSRF purposes (like `?api_key=SECRET` or `?_authx=SECRET`). + * FALSE if the current request looks like a standard browser request. This request may be generated by + * ,