[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CSRF does not work in iframe.

From: address@hidden
Subject: Re: CSRF does not work in iframe.
Date: Thu, 14 Sep 2017 09:58:40 +0200


the Access-Control-Allow-Credentials is dangerous header.

Monit uses state-less double-submit-cookie pattern for CSRF defence:
 ... the action will work when the request's "securitytoken" cookie and 
"securitytoken" http parameter will match - the value is not important, you can 
generate a new value for every request on client side (the defence is based in 
the fact, that the CSRF attacker cannot read nor set/modify the cookie value, 
so cannot set matching http parameter value).

Best regards,

> On 14 Sep 2017, at 06:13, Bhuvan Gupta <address@hidden> wrote:
> Any help will be nice
> On Thu, Sep 7, 2017 at 12:37 PM, Bhuvan Gupta <address@hidden> wrote:
> Hello all,
>  I create a allMonit.html which have two iframe with src of two different 
> monit http interface running on two different system
> allMonit.html structure
>     <iframe src = "http://firstserver:2812";></iframe>
>     <iframe src = "http://seconderver:2812";></iframe>
> Now when i open allMonit.html in chrome , i see two monit interfaces. GREAT
> Now if i try to let say "start a service" on one firstserver. I get invalid 
> Upon investigation i found that without iframe the http request contains a 
> cookiee header like 
> Cookie:securitytoken=6265d84a17c2715c7252c84d88a479cf
> Where as http request from iframe does not include cookie header.
> Upon further study, i found that since monit http response does not contain 
> following header
> Access-Control-Allow-Credentials: true
> and hence browser will not transmit the cookie back to server.
> Now the question arises:
> QUESTION: How to configure monit to add addition http header
> Thanks
> Bhuvan
> -- 
> To unsubscribe:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]