Document AMP CSRF solution

[ericlindley-g]

I've gotten the question a couple times as to whether AMP supports CSRF tokens — it would be great to clearly articulate in the amp-form documentation how CSRF is handled, and why tokens are not needed.

/cc @aghassemi

[wgv-sethlivingston]

So they're not needed? Is it because of the requirements that are already in place for amp-form and the action-xhr attribute?

[molnarg]

See this documentation: https://github.com/ampproject/amphtml/blob/master/spec/amp-cors-requests.md#verify-state-changing-requests The same page is also there somewhere on the official website somewhere.

[wgv-sethlivingston]

Definitely not clear there whether they are required. :)

[ericlindley-g]

/cc @bpaduch

[ghost]

will look @ in: Q2

[ericlindley-g]

Thanks! /cc @lswang1618 as she might have more insight into what e-comm developers need in this area

[cvializ]

AMP will need to add functionality to amp-form to enable XSRF token support, since XSRF tokens are usually added to forms by the server rendering the HTML, which does not work for AMP since the document will be cached. So the token needs to be requested and rendered into the form by AMP.

This CSRF token feature has been partially spec'd and will be necessary to allow file upload (#9791) and password fields (#10902) in non-XHR forms.

[jean-felipe]

Some update about enable CSRF token in forms? I use Rails as backend and for security we need that CSRF token to be send on parameters, but this token should be the same as <meta name="csrf-token" content="token=="> if you could add this to amp-form or tell me a way to get this token from meta tag.

[aghassemi]

https://amp.dev/documentation/guides-and-tutorials/learn/amp-caches-and-cors/amp-cors-requests#restrict-requests-to-source-origins covers this.

Essentially there is no need for a CSRF token, checking request origin and __amp_source_origin in XHR post is enough.