Stash, as 2.12, will allows users to upload local avatars to their account (STASHDEV-6182).

That upload is submitted to a (non-API) end point that accepts a POST request with the avatar as data-uri.

Currently, because the form is submitted by AJAX, the end point is annotated with @IgnoresXsrf, as the front-end doesn't have a security token to submit along with the request. See UserProfileController.uploadAvatar for the source.

The two alternatives to fix this (and remove the annotation) are:

• submit the data as JSON instead of form-urlencoded,
• get hold of a security token/value in the page and submit it as part of the AJAX request.