I've added Owasp CsrfGuard to my project and found that some resources such as css and gif-s are protected though they are defined as unprotected by the next piece of configuration:
org.owasp.csrfguard.unprotected.Public=%servletContext%/resources/*
org.owasp.csrfguard.unprotected.CSS=%servletContext%/resources/css/main.css
org.owasp.csrfguard.unprotected.JS=*.js
org.owasp.csrfguard.unprotected.Scripts=*.js
org.owasp.csrfguard.unprotected.Styles=*.css
org.owasp.csrfguard.unprotected.GIF=*.gif
org.owasp.csrfguard.unprotected.PNG=*.png
org.owasp.csrfguard.unprotected.JPG=*.jpg
For js-s all works fine. So what's the reason for this behaviour?Thanks in advance.
I'm not sure what the reason is. I just know that it has to do with href attributes (such as used for CSS and GIF files). The unprotected declarations in the properties file works fine for me when I have my CSRFGuard filter on all requests (url pattern = "/*"), but not when I want to specify a certain servlet.
However, I have found a workaround. In your web.xml, add this as an init param to your OwaspJavaScriptServlet:
Then your resources with href and src attributes should be token-free. See the documentation.