Hi, I just want to give an update about the progress and about my plan for the next weeks. The options fine-grained or global CSRF protection make both sense to me. Therefore I would like to provide them both for Tapestry.
Fine-grained means having a component mixin that is used to inject the protection token at the client side and an annotation that is used at the server side to add the CSRF protection check for event handlers by using AOP methods (class transformation). For the Global mechanism the protection token should be injected to all components automatically, e.g. like the LinkFactory approach described in the Wiki, or by modifying the render process of all components or by using a client side injection mechanism. The CSRF guard project provided by OWASP shows how a client side approach uses JavaScript to parse the DOM and inject the CSRF token to forms and link elements (https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection). For the protection token generation several strategies exist, e.g. Per-Session, Per-Page, Rotating, HMAC based. I'm not sure if it makes sense to provide all but I'll start with the Per-Session strategy and attaching the generated token to the server-side session state. Finally it should be configurable how the CSRF protection works. Like it was done in the CSRF Guard project (https://www.owasp.org/index.php/CSRFGuard_3_Configuration). To sum it up, I'll start with a fine grained Mixin approach and a Per-Session token. I have to make my Protected Mixin aware of all Tapestry built-in components. There are already some questions how to do this in the best way, but I will post them in separate threads. Best Regards, Markus -- View this message in context: http://tapestry.1045711.n5.nabble.com/CSRF-protection-tp4379034p4422846.html Sent from the Tapestry - Dev mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
