Hi Guys. What is current status of this effort. Quite interested in
seeing what comes of it. Many thanks.
Regards,
David
On 25-Mar-09, at 6:12 PM, Robert Marianski wrote:
> On Wed, Mar 18, 2009 at 11:21:11AM +0300, Malthe Borch wrote:
>> I was looking at the ``csrfmiddleware`` package by Luke Plant and
>> David Turner for a middleware solution the implements CRSF-protection
>> across my site.
>>
>> Some short-comings of this middleware for a who-app:
>>
>> - Relies on beaker to provide undiscoverable authorization; we
>> already
>> have the who cookie value which has same semantics.
>> - Does not provide functionality to authorize Ajax-requests.
>>
>> Based on the attached doc, I'm going to implement a repoze.who-based
>> middleware which overcomes the above. Additionally, I'm going to use
>> ``repoze.xmliter`` to allow multiple middlewares to process XML
>> without reparsing.
>>
>> Feedback welcome.
>>
>> \malthe
>
> I'm not sure how far along you've gotten here, but I have an
> interest in
> it too. I have access to update the csrfmiddleware, so if you think
> it's
> easier to make updates rather than start a new project, I'll be
> happy to
> work with you here.
>
> Robert
>
>> Overview
>> ========
>>
>> This package provides a WSGI middleware which relies on
>> ``repoze.who``
>> cookie authentiation to implement CSRF form protection [1].
>>
>> Strategy
>> --------
>>
>> In order to ensure that POST requests (which may be assumed to have
>> side-effects) stem from authorized forms, requests must include a
>> parameter that can only be known in theory by the authenticated user
>> and the website.
>>
>> One such parameter is the ``repoze.who`` authentication cookie value,
>> which is a digest based on the authentication credentials.
>>
>> The middleware creates a token based on a configurable seed and the
>> cookie value. Only requests that can produce this token are allowed
>> (the "403 Forbidden" status is returned otherwise).
>>
>> It's imperative that the token is not discoverable by third party.
>>
>> Extracting the validation token
>> -------------------------------
>>
>> Before looking at the POST data, the middleware consults the
>> "X-Form-Protect" request header.
>>
>> If not found, the POST data is examined for a "__protect" key.
>>
>> Form authentication
>> -------------------
>>
>> The middleware intercepts HTML content and adds CSRF form
>> authentication to all forms appearing on the page (by adding a hidden
>> input field with the name "__protect").
>>
>> Once verified, the parameter is stripped from the request before it
>> reaches the WSGI application.
>>
>> Identity metadata
>> -----------------
>>
>> A ``repoze.who`` metadata provider is available and adds a
>> "form_protection_token" entry to the identity object.
>>
>> A utility-method is available to retrieve the token from the
>> identity.
>>
>>>>> from repoze.formprotect import get_form_protection_token
>>>>> token = get_form_protection_token(identity)
>>
>> Note that this metadata is only required if form protection needs to
>> be handled manually.
>>
>> Ajax support
>> ------------
>>
>> Using a JavaScript library such as jQuery, it's possible to submit
>> Ajax-requests that use the POST request method, without the use of a
>> form.
>>
>> In order to authenticate such requests, either a valid form
>> protection
>> parameter or request header must be submitted (see above).
>>
>> To enable for all ajax-requests, bind an event listener for the
>> jQuery
>> "ajaxSend" event, which adds the form validation request header [2].
>>
>> jQuery.bind("ajaxSend", function(event, request, settings) {
>> request.setRequestHeader("X-Form-Protect", %token)
>> });
>>
>> References
>> ----------
>>
>> [1] http://en.wikipedia.org/wiki/Cross-site_request_forgery
>> [2] http://www.w3.org/TR/XMLHttpRequest/#xmlhttprequest
>>
>> Author
>> ------
>>
>> Malthe Borch <mbo...@gmail.com>
>
>> _______________________________________________
>> Repoze-dev mailing list
>> Repoze-dev@lists.repoze.org
>> http://lists.repoze.org/listinfo/repoze-dev
>
> _______________________________________________
> Repoze-dev mailing list
> Repoze-dev@lists.repoze.org
> http://lists.repoze.org/listinfo/repoze-dev
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
