jerseyrobot
commented
6 years ago - Issue Imported From: https://github.com/jersey/jersey/issues/3717
- Original Issue Raised By:@krotscheck
- Original Issue Assigned To: Unassigned
Open jerseyrobot opened 7 years ago
jerseyrobot
commented
6 years ago jerseyrobot
commented
7 years ago @krotscheck Commented Additional comment: Both the client and server would have to be updated.
jerseyrobot
commented
7 years ago @JBerny Commented Hi,
I would like to contribute. I've never worked on an open source project and this seems good for a beginner. Is this still needed?
jerseyrobot
commented
6 years ago @schlm3 Commented I noticed that same issue today. Searched for a long time now for differences between using one or the other but did not find anything of relevance. I think, using "X-Requested-With" in CsrfProtectionFilter would have been the better choice, but you can not change it now without breaking existing implementations. You would have to add the second option. The other header name may come out of the quasi-reference document to CSRF at https://seclab.stanford.edu/websec/csrf/csrf.pdf .
jerseyrobot
commented
6 years ago @krotscheck Commented That's fair. Let me update my "workaround" so that others can just copy/paste if they so choose:
The CSRFProtectionFilter uses the
X-Requested-Byheader, which is fine and meets proper CSRF protection criteria. However- the OWASP cheat sheet, wikipedia, jquery, other frameworks, all recommend theX-Requested-Withheader instead.There is no significant difference between one header or another, except that the latter has become the de-facto standard. Jersey2 should probably adopt it to ease use.
Workaround: The CSRF protection filter is easy enough to self-implement.