@mattab opened this Issue on April 12th 2018 Member

In Administration > Email reports, users can download an email report. The "Download" link includes the token_auth. This is problematic because token_auth are then leaked in server access logs and browser history.

-> We should change it so that the link doesn't include the token_auth, and instead the "download" should be a POST request with the token_auth in the POST body.

@tsteur commented on April 12th 2018 Member

When you POST, the reload might be problematic. Can probably simply add a controller action for this that executes the API method so no token needed etc.

@mattab commented on December 14th 2018 Member

Reloading should work I think (browser would prompt "do you want to post the data?"),
but sharing the link or opening in a new window wouldn't work (as expected)

This Issue was closed on May 2nd 2019
Powered by GitHub Issue Mirror