ring-anti-forgery and web services #2
Comments
|
I'd also like to know, if returning the anti-forgery-token in the access-denied response could be harmful. One scenario I could think of, is that your site isn't XSS-secure, makes a faulty request on purpose and just sends the token from the response off to some third party for CSRF attacks. |
|
CSRF is a form of confused deputy attack that targets websites secured via a session cookie. Your web service shouldn't be authenticating with session cookies, so anti-forgery protection does not apply. There's literally no point to including ring-anti-forgery on any part of your site not sitting behind a secured session. |
|
Hi @weavejester - I believe @mynomoto may be requesting this somewhat abstruse feature because webservices and user-facing webapp can't coexist in the same
As a clojure noob, I would like to make an attempt at a patch that adds an optional parameter (let's say |
|
You don't need to apply (routes
api-routes
(wrap-anti-forgery site-routes)) |
|
Ha! Thanks @weavejester. To help out fellow noobs, I will submit a small patch noting this in the README. |
|
I still don't get this. In apache storm we have same post route being used by our web page and the rest api. In order to use CSRF protection I will now have to create duplicate routes? |
|
CSRF attacks come about because form POSTs can be triggered across domains. If the same URI is intended to receive authenticated POST requests from both a browser and an API client, then you need some way of determining whether or not the request comes from the browser or API client. For example, perhaps you use cookie-based sessions to authenticate browsers, and HTTP Basic Auth to authenticate API clients. You could have some custom middleware that checks to see how the user is authenticating; if it's via a session, then the anti-forgery middleware is added, otherwise it leaves it out. |
Close Raynes#53. Bump Clojure to the latest stable release, 1.7.0. The only major switch was avoiding the ring-clojure/ring-anti-forgery 403 permissions error that was being thrown when POST to /tutorial. The library is included in noir.util.middleware from ring-clojure/ring-defaults. For more information about ring-anti-forgery and POST see ring-clojure/ring-anti-forgery#2. For some reason, upgrading to 1.7 triggered this middleware on this endpoint only. To remedy, updated /tutorial to a GET, forgoing the nice $.load convenience function and useing $.get. This has the nicety of being more semantically correct anyways. $.load defaults to a GET when no data is given, as in the setupLink function. Upgraded lib-noir to v0.9.9. In versions up to v0.9.8, it fails to start, raising an exception due to an undeclared variable "pretty".
On the readme there is a caveat about using ring-anti-forgery with web services. But it can work with those just fine and would even work out of the box if the default access-denied response included the token on the header - if the client just send the token back with its request.
Could this header be in the access-denied response by default? Or can you think about reasons not to do it?
Thanks.
The text was updated successfully, but these errors were encountered: