-
-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for origin/referrer checking #338
Conversation
Fixed a small typo
To use origin/referrer checking instead of an anti-CSRF token, disable CSRF token checking and set the list of origins that are allowed to connect to your WebSocket endpoint: (sente/make-channel-socket-server! (get-sch-adapter) {:csrf-token-fn nil :allowed-origins #{"http://site1.com" "http://site2.com"}) The current implementation checks both the Origin and the Referer header as per the OWASP CSRF Prevention Cheat Sheet.
Prior to updating, running Leiningen 2.9.1 fails with this error: Syntax error compiling var at (cider/nrepl/middleware/pprint.clj:74:3)
Merging manually, thanks for this! |
To use origin/referrer checking instead of an anti-CSRF token, disable CSRF token checking and set the list of origins that are allowed to connect to your WebSocket endpoint: (sente/make-channel-socket-server! (get-sch-adapter) {:csrf-token-fn nil :allowed-origins #{"http://site1.com" "http://site2.com"}) The current implementation checks both the Origin and the Referer header as per the OWASP CSRF Prevention Cheat Sheet.
Given a malicious non-browser client can supply any origin it wants would mean the server checking that origin would send the malicious client the sensitive cookies? The OWASP cheatsheet says "browser" clients can't forge the origin, but not that other clients can't. However... sense the client isn't the browser, which has the sensitive cookies, this malicious client wouldn't get said cookies. Which is what this author concludes as well
Though now i'm worried what they mean by "not authenticated" as i thought the vulnerability was during the unauthenticated phase as per this quote in the change log:
|
@drewverlee Hi Drew! I'm not 100% sure that I understand what you're asking/suggesting - could you please rephrase? Thanks! |
I've tried to follow the instructions in the OWASP CSRF Prevention Cheat Sheet to the best of my ability, but I'd really appreciate another set of eyes on this.
Unit tests for
bad-origin?
might be nice, but since the project currently has no unit tests, I didn't want to add any. I added some test cases inside a(comment)
form, though. The implementation could also be more concise, but I attempted to make the conditions as clear as possible.You can test the implementation with the example project by running
lein install
in the Sente root directory and making changes like this like this:After the changes, the example project should work as before.
You can then open another browser tab on http://neverssl.com or some other non-HTTPS site, open the developer console, and do something like this:
That should throw an error because http://neverssl.com isn't an allowed origin. You can then try adding http://neverssl.com (no trailing slash) into
:allowed-origins
and try again. It should then allow the connection.