OFBiz › OFBiz - Notifications

[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF

[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16660097#comment-16660097 ]

Girish Vasmatkar commented on OFBIZ-10427:
------------------------------------------

Hi Jacques

Thank you for the information. Yes, the "nonce" should provide the required protection. SameSite is still in infancy stage and will improve further hopefully.

I am currently not working on implementing a custom filter so please feel free with your implementation. Also, if per-request "nonce" is giving more problem, we can also implement per-session "nonce". Most use cases can live with per-session nonce and may not require per-request implementation.

Those were my two cents based on my knowledge. Please feel free to correct or enlighten me :).

Best,

Girish

> Add a mean to handle CSRF
> -------------------------
>
> Key: OFBIZ-10427
> URL: https://issues.apache.org/jira/browse/OFBIZ-10427
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Minor
> Attachments: webtools_web.xml.patch
>
>
> I already worked on that in OFBiz but without success so far: https://markmail.org/message/r245yie623cdo3wz)
> The tracks I explored are:
> * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really not simple in OFBiz)
> * https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction (I think preferred)

--
This message was sent by Atlassian JIRA
(v7.6.3#76005)