-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CSRF protection to all POST endpoints #2164
Comments
@wetneb I came across this while looking at the current AJAX code and am wondering how much protection it provides. A typical attack, as I understand it, would consist of using the user's cookie based session authentication to make an unauthorized change, but OpenRefine users aren't authenticated in the first place. Additionally, since the CSRF token is fetched separately from the generated web page from unauthenticated end point, an attacker could just request a token and then use it in their forged request. There's probably something that I'm missing here, so figured I'd ask. |
The typical exploit is as follows: Assume someone is running OpenRefine at Now with a CSRF protection, the attacker first needs to obtain a token from OpenRefine. To do so, they need to perform a cross-domain GET request to our backend and see the result of that request to read the token. That is not allowed by the cross-origin policy. |
Got it. Thanks! It was the CORS piece that I was missing. |
We should add Cross Site Request Forgery protection to all our POST endpoints, to protect instances from being altered by other sites (which can be the first step in a XSS exploit).
Command
class.The text was updated successfully, but these errors were encountered: