绕过XHR的CSRF保护是否安全? (路轨) [英] Is it safe to bypass CSRF protection for XHR? (Rails)
问题描述
我们的Web应用程序的一个组件(或多或少)是SPA。即它使用javascript运行,并且不会生成任何页面浏览量或刷新。这可能导致CSRF令牌过时。特别是对于手机用户,几天/几周后他们可能会关闭浏览器并打开它。该SPA有时需要将更新发布到服务器。
A component of our webapp is (more-or-less) an SPA. i.e. it runs using javascript, and doesn't generate any page views or refreshes. This can cause CSRF tokens to go stale. Particularly for mobile phone users, who might switch the browser off and open it a few days/weeks later. This SPA occasionally needs to POST updates to the server.
我们看到一些JavaScript POST请求会生成422错误,并带有有关CSRF保护的警告。我很确定CSRF令牌存在,但已过时。我正在尝试找到最好的解决方法。
We see some javascript POST requests that generate a 422 error, with a warning about CSRF protection. I'm pretty sure that the CSRF token is present, but is stale. I'm trying to find the best way around it.
如果我正确理解了所有内容,并根据 OWASP CSRF备忘单,只要未在同一端点上打开CORS,XHR请求就应该是安全的。也就是说,恶意网站无法在没有javascript的情况下使用XHR标头制作请求。并且使用javascript,由于该请求是跨域的,因此应将其阻止。
If I understand things correctly, and according to OWASP CSRF Cheat Sheet, XHR requests should be safe as long as CORS isn't open on the same endpoint. That is, a malicious site cannot craft a request with an XHR header without javascript. And with javascript, the request should be blocked since it's cross-origin.
唯一的资源 有一个相当混乱的示例,其中对json禁用了CSRF保护。我无法弄清楚它是建议这样做还是避免它。
The only resource I found had a rather confusingly-written example where CSRF protection is disabled for json. I couldn't work out whether it recommends doing it, or avoiding it.
因此,对于在rails上的XHR / json请求关闭CSRF保护是否安全/不安全?不能启用CORS吗?
Is it therefore safe/unsafe to turn off CSRF protection for XHR/json requests on rails where CORS isn't enabled?
推荐答案
简短的答案是它是是安全的,但是您需要要对CORS保持谨慎。
The short answer is that it is safe, but you need to be careful with CORS.
Here's a snippet from the documentation changes I suggested to rails:
通常可以安全地将XHR请求从CSRF保护$ b中排除$ b(就像上面的代码片段一样),因为XHR请求只能由相同来源的
发出。但是请注意,通过 CORS $允许的任何跨域第三方域
b $ b也将能够创建XHR请求。在禁用XHR的伪造保护之前,请务必检查您的
CORS白名单。
It is generally safe to exclude XHR requests from CSRF protection (like the code snippet above does), because XHR requests can only be made from the same origin. Note however that any cross-origin third party domain allowed via CORS will also be able to create XHR requests. Be sure to check your CORS whitelist before disabling forgery protection for XHR.
请注意,我还没有任何来自Rails团队的反馈。
Note that I haven't yet had any feedback from the rails team about this.
这篇关于绕过XHR的CSRF保护是否安全? (路轨)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
