-
-
Notifications
You must be signed in to change notification settings - Fork 236
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Application: added CSRF protection for signals using method POST [Closes #469] #1385
base: master
Are you sure you want to change the base?
Conversation
As a concept, good. But I don't like the addProtection call, what about annotation? |
I've got an idea: We can make all signals protected by default. And if I somebody doesn't want it, they could use an annotation The advantage is, that you cannot create an unprotected signal by a mistake. If you forget (even if only once!) to add e.g. the The disadvantage is, that all web sites will have to use the JavaScript, otherwise it would be quite uncomfortable for users. |
@fabik 👍 |
991ba1a
to
e23de7a
Compare
489cca2
to
0b969cd
Compare
09a7d92
to
b9698a8
Compare
5a8c108
to
3aa3147
Compare
5feee0e
to
3fc1e40
Compare
688f189
to
1bc9d13
Compare
7215ae6
to
71b2047
Compare
The RFC 2616, section 9.1.1 states:
So we should use POST for secured signals (and ideally for all signals with side effects).
We can do this using a JavaScript, that sends links with parameter
data-nette-post
using POST. We can also easily create a fallback method for users without JavaScript - if an user attempts to access a protected page using GET method, we will show him a confirmation form which will execute the request with the CSRF token in POST param.This commit allows you to protect signal by calling e.g.
$this->addProtection("Do you really want to delete user '$username'?");
at the beggining of the signal. After that, if you access the page via GET or via POST but with an invalid token, a confirmation dialog will be displayed.A secured link can be created using
<a n:href="signal!" n:secured>
, which adds the parameterdata-nette-post
. You can send links with this parameter by method POST using the following JavaScript:(Maybe we should also create some official JavaScript like netteForms.js.)
If you want to send signals using AJAX, you have to just modify your JavaScript, so that it will use method POST and send POST params contained in
$control->getCsrfPost()
.The confirmation dialog can be customized by overriding the method
displayCsrfConfirmationDialog()
in Presenter.