[#39343] - [4.3] Allow not leaking the CSRF token
- Closed
- 12 Jan 2023
- Medium
- Build: 4.3-dev
- # 39343
- Diff
- SharkyKZ:j4/sec/request-token
User tests: Successful: Unsuccessful:
Summary of Changes
Adds an option for Joomla.request not to send the CSRF token.
Testing Instructions
Make two requests:
Joomla.request({
method: 'POST',
url: 'index.php?option=com_example&view=example'
});
Joomla.request({
method: 'POST',
url: 'index.php?option=com_example&view=example',
sendCsrfToken: false
});
Inspect whether X-CSRF-Token header is sent in the request.
Expected result AFTER applying this Pull Request
X-CSRF-Token header is sent in the first but not in the second request.
Documentation Changes Required
If JS API is documented anywhere, this new option should be added to the documentation.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | JavaScript Repository NPM Change |
P.S.: In addition to the 2 test cases provided in the description, I have also tested:
Joomla.request({
method: 'POST',
url: 'index.php?option=com_example&view=example',
sendCsrfToken: true
});
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39343.
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
PR-4.3-dev
|
||
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39343.
| Labels |
Added:
?
|
||
I think we should consider Dimitris PR, it will work automatically.
| Status | Ready to Commit | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-01-12 15:17:24 |
| Closed_By | ⇒ | HLeithner | |
| Labels |
Added:
Documentation Required
NPM Resource Changed
|
||
@HLeithner I think this one should be merged too as well as dimitris' one. because although that PR works automatically for external sites we'd still leak csrf tokens into subdomains (e.g. imagine an elasticsearch instance or another Joomla setup or even a mastodon instance or something) whereas with explicit code here we will not.
Probably replace sendCsrfToken: true, with skipToken: false,
and the code from my PR with the change:
// Use the CSRF only on the site's domain
// eslint-disable-next-line no-restricted-globals
if (!newOptions.skipToken && token && (newOptions.url.startsWith('/') || newOptions.url.startsWith(location.origin))) {
xhr.setRequestHeader('X-CSRF-Token', token);
}
in this case the other pr should be fixed that it's only valid for the joomla domain and not the subdomain. but of course would it leak into subdirectories which are not joomla but at some point I think it will be hard to differ for us what is joomla and what is external
Great, because more crappy automagic code is what everyone needs
Eventually, the magic behavior should be removed
Actually, the Joomla.request() should be immediately deprecated and replaced by fetch() without any magic Joomla wrapper. The MDN docs are far better than any documentation ever written about anything front end/back end on this project.
BTW I'm totally fine closing my PR and letting you drive the changes here, my intention wasn't to hijack your PR but rather invert the logic to stop the leak for foreign domains (which is the real problematic part)...
objected to the leak being introduced in the first place
Note: by default cross origin requests is blocked by browser, you need to do some extra job to make such leakage work.
I have tested this item✅ successfully on 1fdfbb9
Hints for other testers:
npm ciornpm run build:jsafter having applied the changes from this pull request in order to rebuild the JS in the media folder, or you use the installation or update package or custom update URL created by drone.This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39343.