#3796 remove _csrf_token from display URLs
Closed: Fixed None Opened 8 years ago by till.

= problem =
Several web-apps use a URL paramenter called _csrf_token to prevent CSRF attacks. This token is shown in the URL location bar in browsers and makes URLs ugly and might lead to people exposing their CSRF token in e-mails.

= analysis =
HTML5 allows to manipulate the contents of the URL location bar.

= enhancement recommendation =

Deploy JavaScript like
new_url = window.location.href.replace(/_csrf_token=[0-9a-f]{40}/, "").replace(/(\?|&)$/, "");
history.replaceState({}, document.title, new_url);
to remove the CSRF token from URLs shown in Browsers.

This code might be adjusted to work in all browsers, but it works at least in Firefox. Maybe a JavaScript expert can take a look. The only disadvantage of this method is that going back in the history will reload a page that requires to reload re-verify. But this might be solved by storing the CSRF token in the history state. Also it does not seem to cause really trouble.

We think this would be a good feature to add. It'll require modifying every app individually as there isn't a site-wide template we can inject it into. We'll also want to verify that the javascript works even if the app is using a non-csrf-protecting plugin.

For implementation, I think we'd want to add this into a site-wide javascript file and then in each application's base template add something like:

<script type='text/javascript' src='https://fedoraproject.org/static/js/site-csrf-srip.js' /> marking this EasyFix as it's mostly checking out the source code for all the TG1 and TG2 apps and adding that. The first one will need a little coordination and testing: * Making sure that the javascript doesn't cause errors when a non-csrf identity provider is used (mirrormanager in particular is written to support sites that just use the vanilla TG1 sqlobject identity provider). * Adding the javascript file into the fedoraproject.org/static/ directory. if someone gets to this before me and needs help, feel free to ask for help enabling these on #fedora-admin

The JavaScript snippet should probably be hosted only at admin.fedoraproject.org to avoid that people with access to the fedoraproject.org web root can manipulate login forms or use each web application that includes the snippet with the privileges of each user, e.g. by adding [[http://en.wikipedia.org/wiki/BeEF_%28Browser_Exploitation_Framework%29|BeEF]] to it.

Hmm do You think that JavaScript method is a good solution? Looks like workaround rather than solid solution. Read this https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL

If so - I could take this ticket so I will be able to go through all those webapps and learn those a little.

Using JavaScript is a good and easy workaround, but since there is not much movement here, starting to fix the applications properly is also a good idea.

Ok, could You assign this one to me? Regarding to our infrastructure meeting @irc I could take care of the rest of the apps (datagrepper, askbot); thx :)

Moving all currently open easyfix tickets to the HANDYWAVY-FUTURE milestone.

I'm clearing the assigned status on all easyfix tickets.

If you are an apprentice actively working on this ticket, feel free to reassign to yourself. Otherwise let a new apprentice have a look.

Not that "actively" on this particular ticket; I'm still working on Dockerfile for creating devenv for TG apps (https://git.fedorahosted.org/cgit/dockerfiles.git/tree/needs_work/fedora-fas) but still it's not rdy. As soon as it's rolled up than I'll be able to pole around this particular ticker.

If anyone else feels like poking around this very soon than no problem - feel free to comment and I'll reassign :)

I wonder if this ticket is still worth spending time on.

The last two TG1 application which are putting the csrf token in the URL are FAS and MirrorManager. Both are currently being re-written.

Yup pingou, totally agree :)

both mm2 and bodhi2 are deployed... so this ticket is now moot.

Please feel free to reopen if you see any application still using these.

Login to comment on this ticket.