Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recommendation to support CSRF check in Atlassian products? #329

Closed
collinbarrett opened this issue Jul 25, 2017 · 6 comments
Closed

Recommendation to support CSRF check in Atlassian products? #329

collinbarrett opened this issue Jul 25, 2017 · 6 comments

Comments

@collinbarrett
Copy link

collinbarrett commented Jul 25, 2017
edited
Loading

Likely related to #328 , but different enough that maybe opening a new issue is better. I currently use the below referer settings in user.js. However, Atlassian products (specifically JIRA and Confluence) show "XSRF check failed" in the Firefox console when the application makes some REST API POST calls. I was exploring some docs like here, but I am not super familiar with how CSRF works. Can anyone recommend how to try tweaking my user.js settings to support these applications? Maybe, @fmarier ?

Note that these apps are self-hosted and the API calls are made to the same domain and port on which the web application runs.

My Current Referer Config:

  • network.http.referer.spoofSource=false
  • network.http.referer.XOriginPolicy=1

Screenshots of the API Call:
ss1
ss2
ss3

Thanks!
@collinbarrett collinbarrett changed the title Recommendation to support CSRF in Atlassian products? Recommendation to support CSRF check in Atlassian products? Jul 25, 2017
@fmarier
Copy link
Contributor

fmarier commented Jul 25, 2017

How about this?

  • network.http.referer.spoofSource=false (Firefox default)
  • network.http.referer.XOriginPolicy=0 (Firefox default)
  • network.http.referer.XOriginTrimmingPolicy=2

@collinbarrett
Copy link
Author

That config works! Thanks, @fmarier . Am I sacrificing substantial privacy guards by loosening these policies up this much?

collinbarrett added a commit to collinbarrett/user.js that referenced this issue Jul 25, 2017
@collinbarrett
add support for Atlassian products
f0e46aa 
per pyllyukko#329 (comment)
@fmarier
Copy link
Contributor

fmarier commented Jul 25, 2017

Am I sacrificing substantial privacy guards by loosening these policies up this much?

With this config, you're essentially telling unrelated sites the hostname you came from. That's worst then telling unrelated sites nothing, but it's better than the default of telling them everything.

With this config for example, ads on a news site can't use the Referer header to tell which article you're reading but they can tell which news site you're on.

@fmarier
Copy link
Contributor

fmarier commented Jul 25, 2017

@collinbarrett Does JIRA/Confluence work with this config?

  • network.http.referer.spoofSource=true
  • network.http.referer.XOriginPolicy=0 (Firefox default)
  • network.http.referer.XOriginTrimmingPolicy=0 (Firefox default)

@collinbarrett
Copy link
Author

collinbarrett commented Jul 26, 2017
edited
Loading

Hi @fmarier ,

I can confirm that that config does work for Atlassian products. But, I cannot personally use it because Hangouts does not work with that config. (#328)

@fmarier
Copy link
Contributor

fmarier commented Jul 26, 2017

Thanks @collinbarrett. I was asking so I could update my blog post with these new examples of broken websites that you have discovered.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fmarier @collinbarrett