Reject API requests with header Sec-Fetch-Site: cross-site

[Al2Klimov]

Is your feature request related to a problem? Please describe.

Our API doesn't protect GETs against CSRF to make it working in a browser.

Describe the solution you'd like

Modern browsers even indicate CSRFs, setting Sec-Fetch-Site to cross-site. Simply listen to the browser!

Describe alternatives you've considered

Do nothing.

Additional context

• net/http: add CrossOriginForgeryHandler golang/go#73626
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Site

[julianbrost]

What is this supposed to achieve?

Our API [...] in a browser.

Icinga 2 itself provides nothing that's supposed to be used in a browser.

protect GETs against CSRF

Why GET? CSRF is typically about state-changing request.

[Al2Klimov]

Icinga 2 itself provides nothing that's supposed to be used in a browser.

FYI, Icinga provides a lot (namely: all GET endpoints) that is explicitly supposed to be used in a browser. Proofs:

We explicitly support Chrome:

icinga2/lib/remote/apilistener.cpp

Line 696 in 33824c2

// Google Chrome 73+ seems not close the connection properly, https://stackoverflow.com/questions/56272906/how-to-fix-certificate-unknown-error-from-chrome-v73

We explicitly support running Icinga 2 and Web APIs and their cookies on the same host:

• Increase header size to 8KB for HTTP requests #6357

protect GETs against CSRF

Why GET? CSRF is typically about state-changing request.

To directly quote @Thomas-Gelf:

[With CSRF,] I can read [namely: GET] all of @dnsmichi's hosts [etc.]

What is this supposed to achieve?

To protect @dnsmichi's hosts from @Thomas-Gelf.

[julianbrost]

To directly quote (@)Thomas-Gelf:

[With CSRF,] I can read [namely: GET] all of (@)dnsmichi's hosts [etc.]

I don't know where that quote is from but that's not how CSRF works. CSRF is about sending a request in the context of the victim's browser using the victim's credentials. You as the attacker don't see the response, the response is in the victim's browser with the origin of Icinga 2 in that case, not an origin controlled by the attacker.

[Al2Klimov]

Then, maybe, Tom was wrong. I don't know, I trust him.

But even then, I as an attacker should be able to query all objects of a type with a very expensive filter (DoS) in the name of my victim (edit: w/o CSRF protection on GET).