Login/Register
CSRF Protection with HTTP GET requests in Rails
Asked Answered
ruby-on-railsruby-on-rails-3.1csrfcsrf-protectionprotect-from-forgery
G

1

10

I understand that Rails by default doesn't have CSRF protection for HTTP GET requests, because, it claims they are idempotent. However, there is sensitive information that is returned to the user from these GET requests, and, I would't want a malicious site retrieving this information.

What is the best way to protect HTTP GET requests from CSRF in Rails?

Georas answered 25/2, 2012 at 18:45 Comment(8)
When a malicious party does a csrf attack they don't see the results of the request - only the side effects are dangerousLysias
You usually use authentication through cookies for this kind of taskMetropolis
@NikitaBeloglazov Even if the authentication is through cookies, the browser normally sends the cookie across to the victim website when it sees a request for the victim's site being made. This is from [the Wikipedia article] (en.wikipedia.org/wiki/…): "If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval."Georas
@FrederickCheung Can you explain a little further how or why the malicious party doesn't or can't see the results of the request?Georas
CSRF is about tricking the victim's browser into making a request, since that's where the credentials are, e.g. by getting them to click on a link / submit a form to somebank.com/transfer_money?to=Fred&amount=1000 The response still goes to the user's browser through, not the attacker.Lysias
@FrederickCheung I understand that. So, if this request is made through say an <img src="victim.com/do_somethingbad"isn't the response sent back to this tag, which can then be read, perhaps, through a JS script by the malicious website?Georas
Don't think so. Obviously Ajax requests and similar would be disallowed by single origin policyLysias
@Aayush "Even if the data were interpreted as a JavaScript object literal, it could not be accessed by JavaScript running in the browser, since without a variable assignment, object literals are inaccessible." wikiDari
H
10

To be able to read the response to a CSRF attack’s request, an attacker would need to get the victim to execute his JavaScript code. And in that case, the access would be restricted by some Same Origin Policy.

Assuming the attacking request is really cross origin, the Same Origin Policy for DOM forbids access via DOM (e. g. when embedded using iframe) and the Cross-Origin Resource Sharing (CORS) regulates cross-origin requests via XMLHttpRequest as follows:

If the request is a simple cross-origin request, i. e. simple method with only simple header fields, then that request will be sent (this is similar to HTML-based CSRF). But accessing a simple cross-origin request’s response depends on whether the response allows resource sharing.

Other cross-origin requests require a so called preflight before the actual request is sent. That request is sent to check whether the server allows requests from the origin the preflight is sent from. And only if the preflight succeeds and the response to the actual request allows resource sharing, the response can be accessed.

So to conclude: Unless your server supports CORS and explicitly allows sharing with any other origin (i. e. Access-Control-Allow-Origin: *), a CSRF response – if the request was allowed at all – won’t be readable by the attacking site.

Horripilate answered 6/3, 2012 at 21:7 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.