Presenter links protected against CSRF

6 years ago

David Grudl
Nette Core | 6887
+
0
-

Activation:

Protection will cover both actions, signals and components and will enabled by annotation for the appropriate method or for whole presenter. For individual components, it will be activated by annotations in similar way, how are defined persistent components now.

(Implementation should be general, so the same API can be used in future for authorization etc.)

The principle of protection:

Protected links will be rendered with HTML attribute data-nette-secure and send like POST forms using JavaScript, but with field __csrf in addition. The default implementation will not use jQuery and will be compatible with IE8+.

Token will be checked in RequestFactory, as mentioned in this RFC.

Presenter will only check if HTTP method, for the protected links, is other than GET / HEAD. Otherwise will throw 403.

AJAX:

Protected links can be sent via AJAX usign methods POST/PUT/DELETE with token in HTTP header X-CSRF-Token. This means that RequestFactory in addition to POST field checking will check header X-CSRF-Token too (if it matches token in cookie).

6 years ago

Aurielle
Member | 1283
+
0
-

What if user turns off his JavaScript and then sees bunch of 403s because the site used protected links? I think that protection shouldn't rely on enabled JS.

6 years ago

David Grudl
Nette Core | 6887
+
0
-

This solution is JS only. Good enough in 2014. Nobody knows how turn JavaScript off.

6 years ago

Filip Procházka
Moderator | 4693
+
0
-

Protected links are for actions that require loggedin user. If you wanna just read something the web will still works because you don't need javascript for that (GET http method). But for operations over some data (POST/PUT/DELETE http methods through AJAX) you would need javascripts.

Makes perfect sense to me.

6 years ago

Jan Tvrdík
Nette guru | 2563
+
0
-

@David Grudl: The problem is that JS fails quite easily.

6 years ago

hrach
Member | 1818
+
0
-

Another problem is the middle click.

6 years ago

David Grudl
Nette Core | 6887
+
0
-

My fault, I have split this RFC in two RFCs. So this is now only about protected presenters.

6 years ago

JakubJarabica
Gold Partner | 184
+
0
-

Not only middle click, but what about clicking on some link before document.ready has been triggered? Unfortunately there are still slow(EDGE/3G) connections that cause JS to run in terms of seconds.