-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
I'm playing with the CsrfPreventionFilter and things are working well in the following situations: <a href="url">link text</a> and <form method="post" action="url"> ... </form> As long as the URL has been passed through request.encodeURL(). However, this one is causing me a problem: <form method="GET" action="url"> ... </form> This builds a form like this: <form method="GET" action="https://host/path?org.apache.catalina.filters.CSRF_NONCE=[...]";> ... </form> Neither Firefox nor Chrome will send the query string present in a <form> action attribute if the method="GET". The method must be "POST" in order for this to be sent. This is due to the HTML standard[1]. Short of changing all <form> methods to "POST", is there any way around this? I have read the code for CsrfPreventionFilter and it does not appear that the nonce if stored anywhere except in the CsrfResponseWrapper for the request (and the session's nonce cache, but that isn't request-specific). Would it be inappropriate to add the CSRF_NONCE to the request attributes so that application code could use it directly if necessary? Something like this: <form method="get" action="url"> ... <input type="hidden" name="org.apache.catalina.filters.CSRF_NONCE" value="<%= request.getAttribute("CSRF_NONCE") %>" /> </form> - -chris [1] https://www.w3.org/TR/html401/interact/forms.html#h-17.13.3.4 -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FuqUACgkQHPApP6U8 pFiRNg/+IIcX8T9/gdui3oGLn3oTWcL2wufs5XN8FUsyYkm9R0Pgj2tzfyHVykF9 Lqr+jYw6wBmNAo/j319+Wcv7YfN/JHSTKOITvPuquQST4pXYOfYVl4SRBXuqJ7bs gI2hTcyH2eUGSk6mSfjD+F4RQ2uigKQgnTXp1XTmFgEW5An/LPxY6o6ruEJ3RbSW ceaO9hR4NSBbtB2urT6JsKPAiuZvOy9qELRBoVc54vNLoTqPe2oNUx4AHnq2cRuE eKhegWlyj+XYVcVDEK0SK1irmgiN6YVc6Cxyy0QD+pEf0SvPwXeRtvS+3Ucjfpnv nQSZDUbia/lXNktMnCiSl3c/ZEfo2AS9br/dlHbWCu5y8ugngaIHrbFPTU5QLNEP 0mFjvMYCm4QIqu79/qOyPzDReNpWBuqsLNXfJLbhBG6MuCWLhSzHOLQnmoXb2hmg 60vX9/B1/AgZkOv5Uv2EL/AqvyMLH9SnxuR7RVSf4FFoGD8PLpxCGruskb5HoYAr IVyLxhzvvbE/ViXXGlwXcfuwaS1EgOXhWZqM+rl8wT1MhHnYd/SX5uGRHqjd43gO fuOphdHNC+G5ErCyYqy4urvxyP9vuhipU43O1eUDQV+rRAdI6m+q26gTgA8U+D7i LgJ0ZYGj+pzWi7SHyBoKIcA8u1vJrZqBFC6Fa9jlpHgQ/A/1Rtg= =Ehsd -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
