From trac at fedorahosted.org Thu Nov 19 10:09:19 2015 Content-Type: multipart/mixed; boundary="===============8343808640380452977==" MIME-Version: 1.0 From: fedora-badges To: websites at lists.fedoraproject.org Subject: [Fedora Infrastructure] #3796: remove _csrf_token from display URLs Date: Wed, 08 May 2013 07:47:37 +0000 Message-ID: <060.058549bf82ef20011180ff32ac6fd025@fedorahosted.org> --===============8343808640380452977== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable #3796: remove _csrf_token from display URLs --------------------------+----------------------------- Reporter: till | Owner: webmaster Type: enhancement | Status: new Priority: major | Milestone: HANDWAVY-FUTURE Component: Web Content | Version: Severity: Normal | Keywords: Blocked By: | Blocking: Sensitive: 0 | --------------------------+----------------------------- =3D problem =3D Several web-apps use a URL paramenter called _csrf_token to prevent CSRF attacks. This token is shown in the URL location bar in browsers and makes URLs ugly and might lead to people exposing their CSRF token in e-mails. =3D analysis =3D HTML5 allows to manipulate the contents of the URL location bar. =3D enhancement recommendation =3D Deploy JavaScript like {{{ new_url =3D window.location.href.replace(/_csrf_token=3D[0-9a-f]{40}/, "").replace(/(\?|&)$/, ""); history.replaceState({}, document.title, new_url); }}} to remove the CSRF token from URLs shown in Browsers. This code might be adjusted to work in all browsers, but it works at least in Firefox. Maybe a JavaScript expert can take a look. The only disadvantage of this method is that going back in the history will reload a page that requires to reload re-verify. But this might be solved by storing the CSRF token in the history state. Also it does not seem to cause really trouble. -- = Ticket URL: Fedora Infrastructure Fedora Infrastructure Project for Bugs, feature requests and access to our = source code. --===============8343808640380452977==-- From trac at fedorahosted.org Thu Nov 19 10:09:19 2015 Content-Type: multipart/mixed; boundary="===============7556427231233853205==" MIME-Version: 1.0 From: fedora-badges To: websites at lists.fedoraproject.org Subject: Re: [Fedora Infrastructure] #3796: remove _csrf_token from display URLs Date: Wed, 08 May 2013 16:24:14 +0000 Message-ID: <075.c2214e148e9f1987428d0f9b6a5e1f20@fedorahosted.org> In-Reply-To: 060.058549bf82ef20011180ff32ac6fd025@fedorahosted.org --===============7556427231233853205== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable #3796: remove _csrf_token from display URLs -------------------------+------------------------------ Reporter: till | Owner: webmaster Type: enhancement | Status: new Priority: major | Milestone: HANDWAVY-FUTURE Component: Web Content | Version: Severity: Normal | Resolution: Keywords: EasyFix | Blocked By: Blocking: | Sensitive: 0 -------------------------+------------------------------ Changes (by toshio): * keywords: =3D> EasyFix Comment: We think this would be a good feature to add. It'll require modifying every app individually as there isn't a site-wide template we can inject it into. We'll also want to verify that the javascript works even if the app is using a non-csrf-protecting plugin. For implementation, I think we'd want to add this into a site-wide javascript file and then in each application's base template add something like: