I want to use Super Productivity which is a time tracker application that allows for saving its data via WebDAV. However, that does not work with Nextcloud, unless the application is exempt from CSRF-protection via the csrf.optout setting (cf. [https://github.com/johannesjo/super-productivity/issues/599]).
Not being an expert for such token things by any means, I would like to ask for opinions about the overall safety of such a setting. I am trying to judge the risk involved.
If I remember correctly, the user agent string can be faked by any client. Is it correct to say then that having registered anything under csrf.optout basically voids CSRF protection in Nextcloud, assuming an attacker knows the optout string?
Independently of the above, would it make sense to have more fine-grained control over such safety-related settings, especially on a per user base instead of the whole Nextcloud instance where all users are affected?
Thanks in advance for your input!
Nextcloud version 19.0.6
Operating system Ubuntu 18.04
Nginx 1.19.3
PHP 7.2.24