Trusted Origins

[fjorgemota]

Hey.

I'm working on an application where the backend will be on one domain (using Golang and with this package to protect against CSRF) and the frontend implementation will be on another domain (or subdomain).

Thing is...I'm using HTTPS (because we're in 2019, right?) and this package has strict referer checking on the HTTPS case, which means that on my case the requests would be blocked even if the CSRF token is correct, just because the requests don't have the same referrer as the origin.

Describe the solution you'd like

The idea of this feature request is to add an option like Django's Trusted Origins, by defining a new option that receives a slice of strings that were matched against the referrer to check if it's valid or not according to the configuration.

Describe alternatives you've considered

The another option would be to create a middleware that wraps this package, changes the URL scheme to "http" and so this check just don't happen...but of course that's a VERY ugly solution and would not fix the problem...nor would protect decently against the security issue that check is trying to solve.

[elithrar]

I’m OK with adding a trusted origins -like feature as a CSRFOption. Are you interested in submitting a PR w/ tests for this?

…

On Mon, Jul 15, 2019 at 12:07 AM Fernando Jorge Mota < ***@***.***> wrote: Hey. I'm working on an application where the backend will be on one domain (using Golang and with this package to protect against CSRF) and the frontend implementation will be on another domain (or subdomain). Thing is...I'm using HTTPS (because we're in 2019, right?) and this package has strict referer checking on the HTTPS case <https://github.com/gorilla/csrf/blob/9b0e3acb4f79e4bf9415d6144123987e7b8527cb/csrf.go#L223-L241>, which means that on my case the requests would be blocked *even* if the CSRF token is correct, just because the requests don't have the same referrer as the origin. *Describe the solution you'd like* The idea of this feature request is to add an option like Django's Trusted Origins <https://docs.djangoproject.com/en/2.2/ref/settings/#csrf-trusted-origins>, by defining a new option that receives a slice of strings that were matched against the referrer to check if it's valid or not according to the configuration. *Describe alternatives you've considered* The another option would be to create a middleware that wraps this package, changes the URL scheme to "http" and so this check just don't happen...but of course that's a VERY ugly solution and would not fix the problem...nor would protect decently against the security issue that check is trying to solve. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#116?email_source=notifications&email_token=AAAEQ4GS4M3BNN4HHWGMSVTP7QAY7A5CNFSM4IDTHAY2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4G7EH2WQ>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAEQ4ELWDRQYCJJIJVU7FLP7QAY7ANCNFSM4IDTHAYQ> .

[fjorgemota]

Hey @elithrar

I sent #117 as the PR (with one test testing the feature...hope it's sufficient).

I'm awaiting reviews. :)

[elithrar]

See https://github.com/gorilla/csrf/releases/tag/v1.6.1 for the tagged release.