Add option for verifying csrf token in certain types request only

koajs / csrf

CSRF tokens for koa

MIT License

264 stars 32 forks source link

Add option for verifying csrf token in certain types request only #35

Closed sagan closed 7 years ago

sagan commented 7 years ago

How about limit the csrf verification to application/x-www-form-urlencoded, multipart/form-data, and text/plain type requests only ? As the plain html form can only send these 3 types of requests (without XMLHttpRequest / fetch, which has same origin policy), there will be no CSRF risks in most cases if I implement a 'application/json' type rest style API

stephenmathieson commented 7 years ago

I don't follow what you're asking for, but JSON APIs are just as vulnerable to CSRF attacks as APIs accepting multipart forms.

Closing for now. Reopen if you can provide more detail.

sagan commented 7 years ago

Sorry for my poor English. What I mean is, skip the CSRF token verification if the request Content-Type is not in [application/x-www-form-urlencoded, multipart/form-data, text/plain]. Because this kind of request can only be initiated from a same-origin XMLHttpRequest / fetch, which has no CSRF risks.

The code likes that:

if( [ 'application/x-www-form-urlencoded', 'multipart/form-data', 'text/plain' ].indexOf(ctx.request.type) == -1 )
  return next();

stephenmathieson commented 7 years ago

XMLHttpRequest and fetch absolutely have CSRF risks.