## CSRF のリスク { #csrf-risk }

この既定の挙動は、ある特定の状況における Cross-Site Request Forgery（CSRF）攻撃の一種に対する保護を提供します。

これらの攻撃は、次の条件を満たすときにブラウザが CORS のプリフライトチェックを行わずにスクリプトからリクエストを送信できる事実を悪用します。

- `Content-Type` ヘッダーがない（例: `Blob` をボディにして `fetch()` を使う）
- かつ、いかなる認証情報も送信しない

この種の攻撃は主に次のような場合に関係します。

- アプリケーションがローカル（例: `localhost`）または社内ネットワークで動作している
- かつ、アプリに認証がなく、同一ネットワークからのリクエストは信頼できると想定している

## 攻撃例 { #example-attack }

package org.codelibs.fess.suggest.request.popularwords;

import org.codelibs.fess.suggest.request.RequestBuilder;
import org.opensearch.transport.client.Client;

/**
 * Builder for creating a {@link PopularWordsRequest} to fetch popular words.
 * This builder provides methods to set various parameters for the request.
 */
public class PopularWordsRequestBuilder extends RequestBuilder<PopularWordsRequest, PopularWordsResponse> {
    /**

	// assert the http response.
	c.Assert(response.StatusCode, http.StatusOK)

	// make HTTP request to fetch the object.
	request, err = newTestSignedRequest(http.MethodGet, getGetObjectURL(s.endPoint, bucketName, objectName),
		0, nil, s.accessKey, s.secretKey, s.signer)
	c.Assert(err, nil)

	// execute the http request to fetch object.
	response, err = s.client.Do(request)
	c.Assert(err, nil)
	// assert the http response status code.

    - cron: '0 5 * * *'

permissions: {}

jobs:
  CodeQL-Build:
    permissions:
      actions: read  # for github/codeql-action/init to get workflow details
      contents: read  # for actions/checkout to fetch code
      security-events: write  # for github/codeql-action/analyze to upload SARIF results
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:

		return cred, ErrNone
	}

	return cred, ErrAccessDenied
}

// Fetch the security token set by the client.
func getSessionToken(r *http.Request) (token string) {
	token = r.Header.Get(xhttp.AmzSecurityToken)
	if token != "" {
		return token
	}
	return r.Form.Get(xhttp.AmzSecurityToken)
}

// Fetch claims in the security token returned by the client, doesn't return

									<span class="step-label"><la:message key="labels.chat_step_evaluate" /></span>
								</div>
								<div class="progress-step" data-phase="fetch">
									<div class="step-icon"><i class="fa fa-file-text-o" aria-hidden="true"></i></div>
									<span class="step-label"><la:message key="labels.chat_step_fetch" /></span>
								</div>

        // search

    }

    /**
     * Retrieves a list of all available related content entities.
     * Results are ordered by term and limited by the configured maximum fetch size.
     *
     * @return a list of all available RelatedContent entities
     */
    public List<RelatedContent> getAvailableRelatedContentList() {
        return relatedContentBhv.selectList(cb -> {

        }
        load();
    }

    /**
     * Retrieves a list of all available related query entities from the data store.
     * The results are ordered by term and limited by the configured maximum fetch size.
     *
     * @return a list of RelatedQuery entities containing all available related queries
     */
    public List<RelatedQuery> getAvailableRelatedQueryList() {

     */
    @Override
    void close();

    /**
     * Fetch all children
     *
     * @return an iterator over the child resources
     * @throws CIFSException if an error occurs accessing the resource
     */
    CloseableIterator<SmbResource> children() throws CIFSException;

    /**
     * Fetch children matching pattern, server-side filtering
     *
     * <p>

    steps:
      - name: Dump GitHub context
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
        run: echo "$GITHUB_CONTEXT"
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version-file: ".python-version"
      - name: Setup uv
        uses: astral-sh/setup-uv@v7
        with: