github
id | node_id | number | title | user | state | locked | assignee | milestone | comments | created_at | updated_at | closed_at | author_association | pull_request | body | repo | type | active_lock_reason | performed_via_github_app | reactions | draft | state_reason |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
647879783 | MDU6SXNzdWU2NDc4Nzk3ODM= | 876 | Add log out link to the pattern portfolio | 9599 | closed | 0 | 5533512 | 1 | 2020-06-30T05:42:15Z | 2020-06-30T23:50:04Z | 2020-06-30T23:47:31Z | OWNER | Follows #875 | 107914493 | issue | {"url": "https://api.github.com/repos/simonw/datasette/issues/876/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0} | completed | |||||
648421105 | MDU6SXNzdWU2NDg0MjExMDU= | 877 | Consider dropping explicit CSRF protection entirely? | 9599 | closed | 0 | 9 | 2020-06-30T19:00:55Z | 2020-09-15T20:42:05Z | 2020-09-15T20:42:04Z | OWNER | https://scotthelme.co.uk/csrf-is-dead/ from Feb 2017 has background here. The `SameSite=lax` cookie property effectively eliminates CSRF in modern browsers. https://caniuse.com/#search=SameSite shows 92.13% global support for it. Datasette already uses `SameSite=lax` when it sets cookies by default: https://github.com/simonw/datasette/blob/af350ba4571b8e3f9708c40f2ddb48fea7ac1084/datasette/utils/asgi.py#L327-L341 A few options then. I could ditch CSRF protection entirely. I could make it optional - turn it off by default, but let users who care about that remaining 7.87% of global users opt back into it. One catch: login CSRF: I don't see how `SameSite=lax` protects against that attack. | 107914493 | issue | {"url": "https://api.github.com/repos/simonw/datasette/issues/877/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0} | completed | ||||||
648435885 | MDU6SXNzdWU2NDg0MzU4ODU= | 878 | New pattern for views that return either JSON or HTML, available for plugins | 9599 | open | 0 | 3268330 | 26 | 2020-06-30T19:26:13Z | 2022-03-19T16:19:30Z | OWNER | Can be part of #870 - refactoring existing views to use `register_routes()`. > I'm going to put the new `check_permissions()` method on `BaseView` as well. If I want that method to be available to plugins I can do so by turning that `BaseView` class into a documented API that plugins are encouraged to use themselves. _Originally posted by @simonw in https://github.com/simonw/datasette/issues/832#issuecomment-651995453_ | 107914493 | issue | {"url": "https://api.github.com/repos/simonw/datasette/issues/878/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0} | |||||||
648569227 | MDU6SXNzdWU2NDg1NjkyMjc= | 879 | Database page documentation still talks about hashes in URLs | 9599 | closed | 0 | 5533512 | 1 | 2020-06-30T23:43:17Z | 2020-06-30T23:48:06Z | 2020-06-30T23:45:42Z | OWNER | https://datasette.readthedocs.io/en/0.44/pages.html > Note that these URLs end in a 7 character hash. This hash is derived from the contents of the database, and ensures that each URL is immutable: the data returned from a URL containing the hash will always be the same, since if the contents of the database file changes by even a single byte a new hash will be generated. This isn't accurate any more - that's not default behaviour, and it may be removed entirely in #647. | 107914493 | issue | {"url": "https://api.github.com/repos/simonw/datasette/issues/879/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0} | completed |