ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-11306) POC for CSRF Token
Date Mon, 06 Jan 2020 17:17:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009013#comment-17009013
] 

Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------

bq. To allow back and forth browser buttons to work, can have the token value unchanged when
request.getMethod is GET.
For now I did not find any issues with that. If needed indeed would the solution.

Bq. One page checkout works from my side when I last tested with the current patches. I was
using Chrome and the admin user. Will test again.
It's not a browser issue, clearly: _Invalid or missing CSRF token for AJAX call to path '/getChild'_
when getting to shipping options

bq. Regarding the recommendation from CSRFGuard, maybe can be discussed in the Dev List when
this issue is completed?
I think we should not commit before checking that we did follow the CSRFGuard recommendations

bq. Allowing one web app to ajax call another web app, with the former web app knowing the
csrf token of the latter web app, is only possible if we convert the static js files to ftl
files. But I don't think there is many use case for it. For now, I have set the security token
check to false for /getAssociatedStateList in Catalog app, to allow the eCommerce app to call
the uri.
We need to evaluate that, it's not yet clear to me


> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token
field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to
X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token check during
Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message