krotscheck
commented
6 years ago Additional comment: Both the client and server would have to be updated.
Open krotscheck opened 6 years ago
krotscheck
commented
6 years ago Additional comment: Both the client and server would have to be updated.
Sprootsy
commented
6 years ago Hi,
I would like to contribute. I've never worked on an open source project and this seems good for a beginner. Is this still needed?
schlm3
commented
6 years ago I noticed that same issue today. Searched for a long time now for differences between using one or the other but did not find anything of relevance. I think, using "X-Requested-With" in CsrfProtectionFilter would have been the better choice, but you can not change it now without breaking existing implementations. You would have to add the second option. The other header name may come out of the quasi-reference document to CSRF at https://seclab.stanford.edu/websec/csrf/csrf.pdf .
krotscheck
commented
6 years ago That's fair. Let me update my "workaround" so that others can just copy/paste if they so choose:
The CSRFProtectionFilter uses the
X-Requested-Byheader, which is fine and meets proper CSRF protection criteria. However- the OWASP cheat sheet, wikipedia, jquery, other frameworks, all recommend theX-Requested-Withheader instead.There is no significant difference between one header or another, except that the latter has become the de-facto standard. Jersey2 should probably adopt it to ease use.
Workaround: The CSRF protection filter is easy enough to self-implement.