Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Angular Double Submit Cookie patterns for CSRF suffers from sub-domain cookies overwrite? #34752
Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.
I assume angular only asks the server to compare the value of XSRF-Token cookie to the value of X-XSRF-TOKEN request header. This is the double submit cookie strategy , right ?
What happened if the attacked owns the sub-domain, and overwrites the XSRF-TOKEN cookie and forge the request? Why Angular didn't use Synchronizer Token Pattern to prevent CSRF attacks?
As explained here, the Synchronizer token pattern is a little more complex for the server (e.g. you will need to keep the token in the user's session info on the server in order to verify each request). It is more suitable for HTML-based applications that use forms to submit requests.
SPAs (which is what you usually build with Angular) do not typically rely on forms for submitting requests and there is no clear, generic way of setting up the Synchronizer token pattern. Of course, it is possible to implement it in our app (in a way specific to your app).
In contrast, the Cookie-to-header token technique that Angular uses by default (which is slightly different than the Double Submit Cookie technique) can be implemented in a way that is generic (i.e. fits most (all?) apps built with Angular) and can be easily utilized by JS (which does the heavy-lifting in SPAs). It is also simpler to implement the server part.
Finally, you can configure the cookies sent by the server to not be accessible on subdomains (if you don't control them). For more details, see this StackOverflow answer.
Closing the issue, since everything seems to work as expected, but feel free to continue the discussion below.
BTW, if you think you have identified an actual security vulnerability in Angular, please report it following the instructions here.