search

OWASP / www-project-csrfguard

The aim of this project is to protect Java applications against CSRF attacks with the use of Synchronizer Tokens
https://owasp.org/www-project-csrfguard/
BSD 3-Clause "New" or "Revised" License
77 stars 38 forks source link

request through a proxyPass problem #254

Closed stefano-1973 closed 3 months ago

stefano-1973 commented 3 months ago

If the traffic flows across a proxyPass, this condition of csrfguard.js is not more satisfied.

_if(isValidDomain(document.domain, "%DOMAINORIGIN%")) {

The user will receive this error:

"a OWASP CSRFGuard JavaScript was included from within an unauthorized domain".

The problem lies in request.getRequestURL() used by JavaScriptServlet to get the domain origin. When there is a proxyPass between browser and web-Server, "request.getRequestURL()" returns the computer address of the local web-server as seen by the proxyPass server and not the external proxypass url requested by the client browser.

In this pull-request I modified the JavaScriptServlet so that the class prefers the "X-Forwarded-Host" header if it was populated by proxyPass. This header identifies the original host requested by the client in the Host HTTP request header.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host

stefano-1973 commented 3 months ago

I applied your requests to the code. Let me know if now it's ok