TechQA.

Csrfguard unprotected resources are protected

2k views Asked by At

I've added Owasp CsrfGuard to my project and found that some resources such as css and gif-s are protected though they are defined as unprotected by the next piece of configuration:

org.owasp.csrfguard.unprotected.Public=%servletContext%/resources/*
org.owasp.csrfguard.unprotected.CSS=%servletContext%/resources/css/main.css
org.owasp.csrfguard.unprotected.JS=*.js
org.owasp.csrfguard.unprotected.Scripts=*.js
org.owasp.csrfguard.unprotected.Styles=*.css
org.owasp.csrfguard.unprotected.GIF=*.gif
org.owasp.csrfguard.unprotected.PNG=*.png
org.owasp.csrfguard.unprotected.JPG=*.jpg

For js-s all works fine. So what's the reason for this behaviour?Thanks in advance.

security csrf owasp
Original Q&A
1

There are 1 answers

0
JasnaRB On

I'm not sure what the reason is. I just know that it has to do with href attributes (such as used for CSS and GIF files). The unprotected declarations in the properties file works fine for me when I have my CSRFGuard filter on all requests (url pattern = "/*"), but not when I want to specify a certain servlet.

However, I have found a workaround. In your web.xml, add this as an init param to your OwaspJavaScriptServlet:

<init-param>
    <param-name>inject-into-attributes</param-name>
    <param-value>false</param-value>
</init-param>

Then your resources with href and src attributes should be token-free. See the documentation.

Related Questions in SECURITY

Related Questions in CSRF

Related Questions in OWASP

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions