Closed p0deje closed 11 years ago
PLZPLZ NO MAKE OTHER PPL WORK NEW YEAR NIGHT AGAIN
What's other people? Is this with or without Sinatra?
@homakov said they have Rack gateway which is being used by some banks. Some of them send back with POST and thus Origin
doesn't equal base_url
. Apparently, they should be whitelisted, but it took time to figure out what was going wrong.
http_origin aims to fix CSRF by denying ALL cross POSTs. First of all Origin is not supported by every browser thus the fix is not truly helpful. and second it is hard to figure out why i get Forbidden, i use authenticity_token to protect from CSRF. so it's better to disable it by default.
I think the real fix would be to clear the session, though (as it already does when set up by Sinatra).
@rkh clearing session is not any better than "Forbidden" response. No session - no working app :) The last two years I am :+1: :+1: :+1: :+1: :+1: :+1: :+1: :+1: for denying Cross POSTs but http_origin as i said previously is not enough: Origin is not supported by every browser... up to you. i need others' opinions
@homakov While it's not supported by other browsers except to Chrome, it's not harmful to unsupported browsers since they don't send Origin
at all.
@rkh The real problem is that in some cases Origin should be configured properly (i.e. whitelist should be set up). So, since many people just turn on rack-protection and leave it as is (without figuring out what it really does), Origin may be a bad option to be enabled by default.
I have added logging to HttpOrigin
. @homakov Is it enough or you still would like to disable it by default?
@p0deje this logging already exists by default. i had logs on remote server so they were not helpful. I think changing Forbidden to Cross POST is forbidden is better help for developers :)
@p0deje yes i know, it already logs by default this way https://github.com/p0deje/rack-protection/blob/master/lib/rack/protection/base.rb#L45
@homakov Ah, I didn't notice that. Wasn't it useful for you?
@rkh Can we merge this?
@p0deje hard question. i didn't even know that cross posts are denied - so i didn't read the logs.
@rkh Do you think it should be merged or closed?
I don't know, I think this should be kept and only drop the session by default and you should remove it in your app or whitelist that endpoint. Though I am not sure if I'm right with that opinion.
until it gets more bug reports @p0deje i think it can be closed
Apparently some people struggle when it's enabled by default // cc @homakov