search

UUDigitalHumanitieslab / EDPOP

A virtual research environment (VRE) that lets you collect, align and annotate bibliographical and biographical records from several online catalogs.
BSD 3-Clause "New" or "Revised" License
2 stars 0 forks source link

Prevent CSRF token leakage #134

Closed jgonggrijp closed 3 months ago

jgonggrijp commented 1 year ago

Currently, the following two snippets in the frontend ensure that the CSRF token header is added to every backend request:

https://github.com/UUDigitalHumanitieslab/EDPOP/blob/6a405894c570e0ee48c53b37dafac76b526713ab/vre/static/vre/main.js#L31-L34

https://github.com/UUDigitalHumanitieslab/EDPOP/blob/6a405894c570e0ee48c53b37dafac76b526713ab/vre/static/vre/utils/generic-functions.js#L13-L17

For now, this is fine, because our frontend only sends requests to our own backend. However, as soon as we also start sending XHRs to other applications, we need to prevent the CSRF token from being leaked in this way. The token header should only be added to requests to our own backend.

This is potentially a dependency of #124.

jgonggrijp commented 4 months ago

Should be easy to fix by using wrapWithCSRF from @uu-cdh/backbone-util.