[jira] [Commented] (WICKET-6786) CsrfPreventionRequestCycleListener should support Fetch Metadata Request Headers

Wed, 01 Jul 2020 09:31:24 -0700 


    [ 
https://issues.apache.org/jira/browse/WICKET-6786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17149542#comment-17149542
 ] 

Santiago Diaz commented on WICKET-6786:
---------------------------------------

Hi Edmond! 
[We|[https://lists.apache.org/thread.html/rbd8b1500fff1140d136a08e35cf8c0f5cf200bf8a60b6a58204ef9a7%40%3Cdev.wicket.apache.org%3E]]
 are excited and ready to start working on adding Fetch Metadata as a feature 
to wicket-core. This will be configurable and have logging capabilities. 
Reading the description of this issue, I think it would be less confusing to 
users if we implement an independent FetchMetadataRequestCycleListener with its 
own configuration, exemptions and logic. Since Fetch Metadata has the ability 
to reject cross-origin requests to endpoints that are not meant to be accessed 
cross-origin without the need for a token, this would effectively replace the 
CsrfPreventionRequestCycleListener.

I'd be happy to either get this issue assigned to me (and give a full 
description of our design there) or create a brand new issue and add our 
description there. What do you think?

> CsrfPreventionRequestCycleListener should support Fetch Metadata Request 
> Headers
> --------------------------------------------------------------------------------
>
>                 Key: WICKET-6786
>                 URL: https://issues.apache.org/jira/browse/WICKET-6786
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket-core
>    Affects Versions: 9.0.0-M5, 8.8.0
>            Reporter: Emond Papegaaij
>            Priority: Major
>
> {{CsrfPreventionRequestCycleListener}} tries to determine the origin of a 
> request via interpretation of the origin header and use this to block cross 
> origin requests. The origin header however is not very reliable. For example, 
> when a user opens a link in a new tab, the header is not sent. Fetch Metadata 
> Request Headers (https://w3c.github.io/webappsec-fetch-metadata/) aims to 
> solve this via a set of well defined headers. For Wicket, {{sec-fetch-site}} 
> is the most important: {{same-origin}} is safe, {{none}} is a user opening a 
> link via (for example) a bookmark, {{same-site}} and {{cross-origin}} should 
> be blocked.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to