dadi / web

Web is a drop in front end for websites and web apps. Consumes data from DADI API and others
https://dadi.cloud/en/web/
Other
48 stars 16 forks source link

CSRF whitelist #400

Closed mingard closed 6 years ago

mingard commented 6 years ago

There are some instances where a particular URI doesn't require protection. It would be useful to be able to whitelist these.

Current

"security": {
  "csrf": true
}

Proposed

"security": {
  "csrf": true,
  "csrfWhitelist": [
    "/foo/bar/:param?",
    "/baz/qux"
  ]
}
eduardoboucas commented 6 years ago

Can you give an example of a scenario where you'd want to skip CSRF protection?

mingard commented 6 years ago

An AJAX call to an RSS feed.

I've discovered that even if a csrf token exists as a hidden form field, an XMLHTTPRequest will not work, possibly because there's no session.

One method I've written since opening this ticket is the following:

    var formData = new FormData(e.target);
    var request = new XMLHttpRequest();
    var method = e.target.getAttribute('method');
    request.open(method);

    if (formData.get("_csrf")) {
      request.setRequestHeader("X-CSRF-Token", formData.get("_csrf"));
    }

Still, in circumstances where there are no exploit vectors, it would be good to add some flexibility.

jimlambie commented 6 years ago

An AJAX call to an RSS feed? Should this not be a GET request, rather than a POST?

mingard commented 6 years ago

Bad example - I've used this in a request that update a session value based on the submission of a form which in turn returns a success boolean.

  1. User inputs value
  2. Form submitted
  3. Value checked for validity
  4. User session updated if valid
  5. Success/error returned
  6. UI feedback
mingard commented 6 years ago

Rather than adding a whitelist, I will document this approach.