Skip Menu |

This queue is for tickets about the Mojolicious-Plugin-CSRFProtect CPAN distribution.

Report information
The Basics
Id: 73406
Status: resolved
Priority: 0/
Queue: Mojolicious-Plugin-CSRFProtect
People
Owner: Nobody in particular
Requestors: nikita.dedik [...] bulyon.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Dec 21 03:50:42 2011 nikita.dedik [...] bulyon.com - Ticket created
Subject: Not all AJAX requests should be protected
Protection should be enabled only for AJAX requests which used jquery_ajax_csrf_protection helper. Currently the protection is enabled for all AJAX requests, even when it's not needed. Example: infinite scrolling (which is an AJAX but doesn't require protection).
  Thu Dec 22 13:00:27 2011 KOORCHIK [...] cpan.org - Correspondence added
Срд Дек 21 03:50:42 2011, nikita.dedik@bulyon.com писал: Show quoted text
> Protection should be enabled only for AJAX requests which used > jquery_ajax_csrf_protection helper.
You should use this helper in your template. It will add javascript which registers callback which adds protection when "ajaxSend" event occurs. So, "jquery_ajax_csrf_protection" helper is called only by action which renders html page. Show quoted text
>Currently the protection is enabled > for all AJAX requests, even when it's not needed. Example: infinite > scrolling (which is an AJAX but doesn't require protection).
I cannot distinguish between events which require protection and events which do not require protection. If you use JQuery for sending ajax then everything will be ok. For example, "infinite scrolling" in jqGrid works just fine. jquery_ajax_csrf_protection
  Thu Dec 22 13:00:28 2011 The RT System itself - Status changed from 'new' to 'open'
  Fri Dec 23 01:54:46 2011 nikita.dedik [...] bulyon.com - Correspondence added
From: nikita.dedik [...] bulyon.com
You misunderstood. In the current implementation all requests with X-Requested-With header are checked for CSRF token, whether or not it's really needed. It's better to only check requests from pages which used jquery_ajax_csrf_protection helper for rendering. Session can be used to store when the helper is called, somehow. Чтв Дек 22 13:00:27 2011, KOORCHIK писал: Show quoted text
> Срд Дек 21 03:50:42 2011, nikita.dedik@bulyon.com писал:
> > Protection should be enabled only for AJAX requests which used > > jquery_ajax_csrf_protection helper.
> You should use this helper in your template. It will add javascript > which registers callback which adds protection when "ajaxSend" event > occurs. So, "jquery_ajax_csrf_protection" helper is called only by > action which renders html page. >
> >Currently the protection is enabled > > for all AJAX requests, even when it's not needed. Example: infinite > > scrolling (which is an AJAX but doesn't require protection).
> I cannot distinguish between events which require protection and
events Show quoted text
> which do not require protection. If you use JQuery for sending ajax
then Show quoted text
> everything will be ok. For example, "infinite scrolling" in jqGrid
works Show quoted text
> just fine. > > jquery_ajax_csrf_protection
  Fri Dec 23 03:26:19 2011 KOORCHIK [...] cpan.org - Correspondence added
Птн Дек 23 01:54:46 2011, nikita.dedik@bulyon.com писал: Show quoted text
> You misunderstood. > > In the current implementation all requests with X-Requested-With header > are checked for CSRF token, whether or not it's really needed. It's > better to only check requests from pages which used > jquery_ajax_csrf_protection helper for rendering. Session can be used > to store when the helper is called, somehow.
How can I know that request comes from page which uses jquery_ajax_csrf_protection? You can send request from that page absolutly to any route.
  Fri Dec 23 03:33:29 2011 nikita.dedik [...] bulyon.com - Correspondence added
From: nikita.dedik [...] bulyon.com
Maybe a way to configure the plugin's behavior per route, somehow? Птн Дек 23 03:26:19 2011, KOORCHIK писал: Show quoted text
> Птн Дек 23 01:54:46 2011, nikita.dedik@bulyon.com писал:
> > You misunderstood. > > > > In the current implementation all requests with X-Requested-With
header Show quoted text
> > are checked for CSRF token, whether or not it's really needed. It's > > better to only check requests from pages which used > > jquery_ajax_csrf_protection helper for rendering. Session can be
used Show quoted text
> > to store when the helper is called, somehow.
> > How can I know that request comes from page which uses > jquery_ajax_csrf_protection? You can send request from that page > absolutly to any route.
  Fri Dec 23 03:43:58 2011 KOORCHIK [...] cpan.org - Correspondence added
Птн Дек 23 03:33:29 2011, nikita.dedik@bulyon.com писал: Show quoted text
> Maybe a way to configure the plugin's behavior per route, somehow?
No it is impossible to define which action will be called in "after_static_dispatch" hook. I thought about this from very beginning - http://groups.google.com/group/mojolicious/browse_thread/thread/5222d4e8 881541c5/cfe81192d7dadc72?lnk=gst&q=koorchik#cfe81192d7dadc72 Also, I asked Sebastian for this feature https://github.com/kraih/mojo/issues/253 I will disable CSRF protection for AJAX GET requests. It does not make sense to protect AJAX GET because it does not increase security at all. So, your issue will be fixed.
  Fri Dec 23 03:52:03 2011 nikita.dedik [...] bulyon.com - Correspondence added
From: nikita.dedik [...] bulyon.com
Good decision ). Thanks! If you decide to move to Moscow, let me know ). Птн Дек 23 03:43:58 2011, KOORCHIK писал: Show quoted text
> Птн Дек 23 03:33:29 2011, nikita.dedik@bulyon.com писал:
> > Maybe a way to configure the plugin's behavior per route, somehow?
> > No it is impossible to define which action will be called in > "after_static_dispatch" hook. > > I thought about this from very beginning - > http://groups.google.com/group/mojolicious/browse_thread/
thread/5222d4e8 Show quoted text
> 881541c5/cfe81192d7dadc72?lnk=gst&q=koorchik#cfe81192d7dadc72 > > Also, I asked Sebastian for this feature > https://github.com/kraih/mojo/issues/253 > > I will disable CSRF protection for AJAX GET requests. It does not
make Show quoted text
> sense to protect AJAX GET because it does not increase security at
all. Show quoted text
> So, your issue will be fixed.
  Fri Dec 23 03:58:37 2011 KOORCHIK [...] cpan.org - Correspondence added
Show quoted text
>Good decision ). Thanks!
Have uploaded new version to CPAN. Soon will be available. Show quoted text
>If you decide to move to Moscow, let me know ).
ok :)
  Fri Dec 23 03:58:38 2011 KOORCHIK [...] cpan.org - Status changed from 'open' to 'resolved'