Skip to content

Support reading specific HTTP Request CSRF tokens only from header #7538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rwinch opened this issue Oct 17, 2019 · 0 comments
Open

Support reading specific HTTP Request CSRF tokens only from header #7538

rwinch opened this issue Oct 17, 2019 · 0 comments
Labels
in: web An issue in web modules (web, webmvc)

Comments

@rwinch
Copy link
Member

rwinch commented Oct 17, 2019

Summary

This would be nice to solve the fact that protecting multipart requests (file uploads) from CSRF attacks causes a chicken and the egg problem. In order to prevent a CSRF attack from occurring, the body of the HTTP request must be read to obtain actual CSRF token. However, reading the body means that the file will be uploaded which means an external site can upload a file. We could use JavaScript to do the upload and include the token in the headers and force the reading of multipart request actual CSRF tokens to be the header.
@rwinch rwinch added this to the 5.3.x milestone Oct 17, 2019
@rwinch rwinch added the in: web An issue in web modules (web, webmvc) label Oct 17, 2019
@rwinch rwinch mentioned this issue Oct 17, 2019
Open
@rwinch rwinch removed this from the 5.3.x milestone May 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rwinch