[jira] [Commented] (COUCHDB-2797) Apply CSRF protection only to form submissions

Thu, 03 Sep 2015 05:09:07 -0700 

    [ 
https://issues.apache.org/jira/browse/COUCHDB-2797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14728920#comment-14728920
 ] 

Dale Harvey commented on COUCHDB-2797:
--------------------------------------

The issue from pouchdb is that the current CSRF protection cannot work in a 
situation where PouchDB is accessing CouchDB via CORS, this is because the 
current CSRF requires access to the document.cookies set by couchdb (on the 
couchdb origin domain) to set a corresponding header. This will never be 
possible. (https://github.com/pouchdb/pouchdb/pull/4252)

Now requests made with application/json are not vunerable to CSRF, xhr is 
required to make requests with application/json and xhr requests are by default 
banned from make requests to another origin, they need to specifically be 
enabled via CORS. CORS offers the ability to only allow uncredentialled 
requests or to restrict those requests from particular origins, CORS is how xhr 
is protected against CSRF. So for CouchDB to protect against CSRF it only needs 
to add a token mechanism to requests that can be made from another origin, 
those are all GET requests (so dont do side effects on GET's, which couch 
doesnt) and POST requests with 'application/x-www-form-urlencoded', 
'multipart/form-data', and 'text/plain'.

If the routes that accept those content types require a valid csrf token, then 
couchdb is safe (and pouchdb will continue to work) 



> Apply CSRF protection only to form submissions
> ----------------------------------------------
>
>                 Key: COUCHDB-2797
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2797
>             Project: CouchDB
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>            Reporter: Robert Newson
>
> The new CSRF double-submit protection should be applied to form submissions, 
> not all requests. XHR requests, in particular, are not vulnerable to CSRF, so 
> we should skip the check there, saving middleware and other tools the effort 
> of supporting this feature.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to