发表新帖
发表新帖

How to protect widgets from forged requests

后端 未结
关注
6 1132
孤独总比滥情好
孤独总比滥情好 2020-12-10 11:37

Lets say you have a JavaScript widget which needs to fire off a request to your web application if and only if the user wants to click on it. You don\'t want this request

6条回答
  • 感动是毒
    感动是毒 (楼主)
    2020-12-10 12:09

    Because of CSRF you must be within an iframe...

    No. You cannot remediate CSRF with form cookies and other nonce tricks. It does not matter where you put them.

    So there is a duality, it seems you are stuck between CSRF and Clickjacking. What the best solution (if any) to this problem?

    To remediate CSRF, you have to remove the threat by fixing the server that has the injection or malicious code, stopping the phishing email, etc. In the absence of a benign environment, you need to re-authenticate the user (or provide another challenge/response to ensure an interactive user). See:

    • Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

    Te remdiate Clickjacking, utilize X-Frame-Options or frame-breaking code in Javascript. But I don't think either are foolproof. See:

    • Clickjacking Defense Cheat Sheet

    0 讨论(0)
 看不清?
提交回复
热议问题