Cross-site request forgery: Difference between revisions
No edit summary |
|||
| Line 16: | Line 16: | ||
#: <code>My-Xsrf-Cookie:UKL7smHAK4xENQj5pYbi</code> | #: <code>My-Xsrf-Cookie:UKL7smHAK4xENQj5pYbi</code> | ||
#* This cookie will be different for each session. | #* This cookie will be different for each session. | ||
# When making requests to checkout, the front-end will add the XSRF token to the HTTP request. | # When making requests to checkout, the front-end will add the XSRF token to the HTTP request as a header or hidden form field. | ||
#: <code>My-Xsrf-Header:UKL7smHAK4xENQj5pYbi</code> | #: <code>My-Xsrf-Header:UKL7smHAK4xENQj5pYbi</code> | ||
# Before processing the order, the backend will check the | # Before processing the order, the backend will check the XSRF header to make sure that it matches what was sent originally. | ||
#* I.e. it checks that the (XSRF header or sent field) matches the (sent cookie or save session token). | |||
===Defense Explanation=== | ===Defense Explanation=== | ||
| Line 27: | Line 28: | ||
# Next the browser stores the cookie under <code>shopping.com</code>. | # Next the browser stores the cookie under <code>shopping.com</code>. | ||
#* Due to same-origin policy, other websites cannot see the cookies for <code>shopping.com</code>. | #* Due to same-origin policy, other websites cannot see the cookies for <code>shopping.com</code>. | ||
Note that other origins can read hidden form fields and can send custom headers. | |||
This it is important for the backend to check the XSRF key against one that other websites cannot read. | |||
If you send the XSRF token in a cookie and a hidden form field, this will not require any JS since the browser will automatically repeat the hidden form field. | |||
However, you need to make sure no CORS header is sent otherwise other websites will be able to read the XSRF token sent in the hidden form field. | |||
E.g. | |||
<pre> | |||
Access-Control-Allow-Origin: https://shopping.com | |||
</pre> | |||