Open andreiepure opened 7 years ago
Including the CSRF token in the request header works for me as well (even if the MultipartFilter
is not defined before the Spring Security filter). I agree that a third option should be added (and might be the best default suggestion). If there's a reason to avoid this approach I've overlooked it seems even more imperative to document it!
The relevant section is now under 13.1.5 CSRF Caveats - Multipart (file upload)
Tested using Spring Security 5.1.6
This third approach with adding the HTTP X-XSRF-TOKEN
header to the request worked for me too. But I also needed to configure properly the CORS settings with Access-Control-Allow-Credentials=true
and also on the client side the XHR object needed the withCredentials=true
property set because I was using it in a single page app.
Tested using Spring Security 5.2.2
Anyone here willing to submit a PR?
I'd love to work on this. Would it be possible?
Summary
The current docs say that there are two options to handle CSRF protection with multipart/form-data - not having security on multi-part file transfer or sending the CSRF token with the URL. The second is a security breach, as the docs mention.
Expected Behavior
A third option should be added: adding the CSRF token to the XHR POST request header sent to the server. This option works, I have tested it with Spring-Boot 1.5.2.RELEASE. I detailed the steps on SO.
Basically, it follows the guideline of sending the CSRF token via an AJAX request (and submitting the multi-part form using an AJAX request).
Version
Spring Security 4.2.2 - 18.5.4 Multipart (file upload)