[Fedora Infrastructure] #3796: remove _csrf_token from display URLs
Fedora Infrastructure
trac at fedorahosted.org
Wed May 8 07:47:37 UTC 2013
#3796: remove _csrf_token from display URLs
--------------------------+-----------------------------
Reporter: till | Owner: webmaster
Type: enhancement | Status: new
Priority: major | Milestone: HANDWAVY-FUTURE
Component: Web Content | Version:
Severity: Normal | Keywords:
Blocked By: | Blocking:
Sensitive: 0 |
--------------------------+-----------------------------
= problem =
Several web-apps use a URL paramenter called _csrf_token to prevent CSRF
attacks. This token is shown in the URL location bar in browsers and makes
URLs ugly and might lead to people exposing their CSRF token in e-mails.
= analysis =
HTML5 allows to manipulate the contents of the URL location bar.
= enhancement recommendation =
Deploy JavaScript like
{{{
new_url = window.location.href.replace(/_csrf_token=[0-9a-f]{40}/,
"").replace(/(\?|&)$/, "");
history.replaceState({}, document.title, new_url);
}}}
to remove the CSRF token from URLs shown in Browsers.
This code might be adjusted to work in all browsers, but it works at least
in Firefox. Maybe a JavaScript expert can take a look. The only
disadvantage of this method is that going back in the history will reload
a page that requires to reload re-verify. But this might be solved by
storing the CSRF token in the history state. Also it does not seem to
cause really trouble.
--
Ticket URL: <https://fedorahosted.org/fedora-infrastructure/ticket/3796>
Fedora Infrastructure <http://fedoraproject.org/wiki/Infrastructure>
Fedora Infrastructure Project for Bugs, feature requests and access to our source code.
More information about the websites
mailing list