Avoid appending 'atl_token' to POST URLs when uploading avatar in Bitbucket Data Center

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Unresolved
    • None
    • Component/s: Security - XSS
    • None
    • 0
    • 1

      Bitbucket DC appends atl_token to the POST URL when uploading Avatar in User Profile.

      POST <<bb_url>>/users/admin/avatar.png?atl_token=<<token>>

      Feature Request:
      Avoid exposing the XSRF token (atl_token) in the POST URL.

        1. screenshot.jpg
          screenshot.jpg
          195 kB

              Assignee:
              Unassigned
              Reporter:
              Karthik Mahesh
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: