<div dir="ltr">Loic,<div><br></div><div style>After giving the CSRF middleware some thought and reading <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL">https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL</a> I came to conclusion that it is best to just not create the middleware and instead deal with CSRF on as needed basis. </div> <div style><br></div><div style>I know that node's Connect middleware <a href="http://www.senchalabs.org/connect/csrf.html#defaultValue">http://www.senchalabs.org/connect/csrf.html#defaultValue</a> for example allows for the csrf token to be passed as a query string parameter, however, the OWASP article made me think that it is not the most secure approach.</div> <div style><br></div><div style>For example, AngularJS <a href="http://docs.angularjs.org/api/ng.$http">http://docs.angularjs.org/api/ng.$http</a> has a section on how their AJAX component behaves to do CSRF out of the box, and they are talking about the server sending a cookie <span style="color:rgb(51,51,51);font-family:monospace;font-size:12.800000190734863px;line-height:18px">XSRF-TOKEN </span>that is not HttpOnly. That makes me realize that csrf is a process more than just slapping some middleware into the pipeline.</div> <div style><br></div><div style>Btw, I noticed that when the result of the middleware execute function is:</div><div style>{error, StatusCode, Req}<br></div><div style>if I set the reply on the request via cowboy_req:reply before returning the {error.. , the status code of that reply will be used.</div> <div style><br></div><div style>Such as:</div><div style><div>{ok, Req3} = cowboy_req:reply(403, [], "Invalid CSRF Token.", Req2),<span class="" style="white-space:pre"> </span></div><div>{error, 500, Req3}; % 500 is ignored, 403 is returned</div> <div><br></div><div style>Is that by design?</div><div style><br></div><div style>Sincerely,</div><div style><br></div><div style>rambocoder</div><div><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote"> On Mon, Apr 15, 2013 at 4:47 PM, Loïc Hoguin <span dir="ltr"><<a href="mailto:essen@ninenines.eu" target="_blank">essen@ninenines.eu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Why not just put the token in the URL instead? if it's CSRF then it's probably used only once and only for POST and the like, so not cached or anything.<div><div class="h5"><br> <br> On 04/15/2013 10:45 PM, rambocoder wrote:<br> </div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"> Hello group,<br> <br> I am trying to put together a CSRF middleware<br> <a href="https://github.com/rambocoder/stable/commit/b26980d292ac42aadfe9921a961436e28cdbb693" target="_blank">https://github.com/rambocoder/<u></u>stable/commit/<u></u>b26980d292ac42aadfe9921a961436<u></u>e28cdbb693</a> and<br> if the body of the request contains "_csrf" token, I check to make sure<br> it matches the csrf token in the session.<br> <br> Currently I am doing it in middleware using cowboy_req:body_qs/1 however<br> when in the handler I need to read another body parameter, such as in<br> the rest_pastebin example:<br> <br> {ok, BodyQs, Req3} = cowboy_req:body_qs(Req),<br> Paste = proplists:get_value(<<"paste"><u></u>>, BodyQs),<br> <br> cowboy_req:body_qs/1 returns [] due to the body of the request being<br> already read {body_state,done}<br> <br> Is it pointless to have the type of CSRF middleware that I am writing<br> and just do the CSRF in the handler's callback, where I can deal with<br> all the body_qs at once?<br> <br> Thank you,<br> <br> rambocoder<br> <br> <br></div></div> ______________________________<u></u>_________________<br> Extend mailing list<br> <a href="mailto:Extend@lists.ninenines.eu" target="_blank">Extend@lists.ninenines.eu</a><br> <a href="http://lists.ninenines.eu:81/listinfo/extend" target="_blank">http://lists.ninenines.eu:81/<u></u>listinfo/extend</a><br> <br><span class="HOEnZb"><font color="#888888"> </font></span></blockquote><span class="HOEnZb"><font color="#888888"> <br> <br> -- <br> Loďc Hoguin<br> Erlang Cowboy<br> Nine Nines<br> <a href="http://ninenines.eu" target="_blank">http://ninenines.eu</a><br> <br> </font></span></blockquote></div><br></div>