jersey icon indicating copy to clipboard operation
jersey copied to clipboard
verified publisher icon javaee

CSRFProtectionFilter uses non-canonical header name

Open krotscheck opened this issue 8 years ago • 4 comments

The CSRFProtectionFilter uses the X-Requested-By header, which is fine and meets proper CSRF protection criteria. However- the OWASP cheat sheet, wikipedia, jquery, other frameworks, all recommend the X-Requested-With header instead.

There is no significant difference between one header or another, except that the latter has become the de-facto standard. Jersey2 should probably adopt it to ease use.

Workaround: The CSRF protection filter is easy enough to self-implement.

krotscheck avatar Nov 16 '17 03:11 krotscheck

Additional comment: Both the client and server would have to be updated.

krotscheck avatar Nov 16 '17 16:11 krotscheck

Hi,

I would like to contribute. I've never worked on an open source project and this seems good for a beginner. Is this still needed?

Sprootsy avatar Nov 20 '17 22:11 Sprootsy

I noticed that same issue today. Searched for a long time now for differences between using one or the other but did not find anything of relevance. I think, using "X-Requested-With" in CsrfProtectionFilter would have been the better choice, but you can not change it now without breaking existing implementations. You would have to add the second option. The other header name may come out of the quasi-reference document to CSRF at https://seclab.stanford.edu/websec/csrf/csrf.pdf .

schlm3 avatar Mar 27 '18 13:03 schlm3

That's fair. Let me update my "workaround" so that others can just copy/paste if they so choose:

https://github.com/kangaroo-server/kangaroo/blob/17afab901e5152546133ba8e4cfe07d6782162b2/kangaroo-common/src/main/java/net/krotscheck/kangaroo/common/security/CsrfProtectionFilter.java

krotscheck avatar Mar 27 '18 13:03 krotscheck