CSRF header should not be sent to cross domain sites #1469
Labels
enhancement
New feature or request
Comments
|
Do not create duplicates. #1228 |
sebastien-helbert
pushed a commit
to sebastien-helbert/springdoc-openapi
that referenced
this issue
Jan 26, 2022
this is not a duplicate |
bnasslahsen
added
enhancement
Ok 👍 |
bnasslahsen
added a commit
that referenced
this issue
Jan 26, 2022
CSRF header should not be sent to cross domain sites #1469
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When CSRF is enabled a CSRF token is sent for each issued request including to cross domain sites.
This is a problem when the third party server does not allow this header to be sent (This use case is well described in #1036)
and this potentially may be exploited by an attacker as it can allow a third party site to obtain a token from the main site and therefore forge a CSRF request.
To Reproduce
This can be reproduced easily with a password OAuth flow security scheme and a keycloak server (which by default does not authorize the x-xsrf-token header to be sent because it is not expected). See #1036
Expected behavior
The CSRF header should not be added for cross domain sites
The text was updated successfully, but these errors were encountered: