Hello, the Access-Control-Allow-Credentials is dangerous header.
Monit uses state-less double-submit-cookie pattern for CSRF defence: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie ... the action will work when the request's "securitytoken" cookie and "securitytoken" http parameter will match - the value is not important, you can generate a new value for every request on client side (the defence is based in the fact, that the CSRF attacker cannot read nor set/modify the cookie value, so cannot set matching http parameter value). Best regards, Martin > On 14 Sep 2017, at 06:13, Bhuvan Gupta <[email protected]> wrote: > > Any help will be nice > > On Thu, Sep 7, 2017 at 12:37 PM, Bhuvan Gupta <[email protected]> wrote: > Hello all, > > I create a allMonit.html which have two iframe with src of two different > monit http interface running on two different system > > allMonit.html structure > <iframe src = "http://firstserver:2812";></iframe> > <iframe src = "http://seconderver:2812";></iframe> > > Now when i open allMonit.html in chrome , i see two monit interfaces. GREAT > > Now if i try to let say "start a service" on one firstserver. I get invalid > CSRF. > > Upon investigation i found that without iframe the http request contains a > cookiee header like > Cookie:securitytoken=6265d84a17c2715c7252c84d88a479cf > Where as http request from iframe does not include cookie header. > > Upon further study, i found that since monit http response does not contain > following header > Access-Control-Allow-Credentials: true > and hence browser will not transmit the cookie back to server. > > Now the question arises: > > QUESTION: How to configure monit to add addition http header > > Thanks > Bhuvan > > > > > > -- > To unsubscribe: > https://lists.nongnu.org/mailman/listinfo/monit-general -- To unsubscribe: https://lists.nongnu.org/mailman/listinfo/monit-general
