Skip to content

feat(security): Automatic XSRF handling. #8898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 31, 2016
Merged

Conversation

mprobst
Copy link
Contributor

@mprobst mprobst commented May 28, 2016

What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

  • Feature

Does this PR introduce a breaking change?

  • Yes
  • No

Automatically recognize XSRF protection cookies, and set a corresponding XSRF
header. Allows applications to configure the cookie names, or if needed,
completely override the XSRF request configuration by binding their own
XSRFHandler implementation.

Part of #8511.

@mprobst
Copy link
Contributor Author

mprobst commented May 28, 2016

@rjamet PTAL from a security perspective.
@mhevery PTAL for the new API addition (see public_api_spec.ts).

@mprobst mprobst mentioned this pull request May 28, 2016
17 tasks
@mprobst mprobst added action: review The PR is still awaiting reviews from at least one requested reviewer action: review area: security Issues related to built-in security features, such as HTML sanitation feature Issue that requests a new feature labels May 28, 2016
* `XSRFHandler` allows customizing how the application protects itself against Cross Site Request
* Forgery (XSRF) attacks. By default, Angular will look for a cookie called `'XSRF-TOKEN'`, and set
* an HTTP request header called `'X-XSRF-TOKEN'` with the value of the cookie on each request,
* allowing the server side to validate that the request comes from its own front end.
Copy link
Contributor

@rjamet rjamet May 30, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Somewhat out of scope, but it's probably the right place to put a warning saying that Angular won't do that for you, and your backend has to check that in every relevant api point ?

@rjamet
Copy link
Contributor

rjamet commented May 30, 2016

LGTM on the code, +@koto and @molnarg anyways.

However, this might need more doc, or links to https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) for instance ? The problem is straightforward, but it's not obvious how Angular having this automatic header addition from cookie values helps, and what should a developer do with this to prevent issues.

configureRequest(req: Request) {
let xsrfToken = getDOM().getCookie(this.cookieName);
if (xsrfToken && !req.headers.has(this.headerName)) req.headers.set(this.headerName, xsrfToken);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usually the GET requests don't need the XSRF token, but if Angular 1 did it for GET as well (I don't know that), it's better to have backwards compatibility here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it did, a quick review of the doc and implementation doesn't seem to discriminate on that (doc at https://github.com/angular/angular.js/blob/0727bfc141db6e60bce2fb1e09ad4f53963dec5d/src/ng/http.js#L770)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, not needed, but I think it's better to make it a decision of the server side when to enforce XSRF, and just unconditionally send the headers by default here.

@koto
Copy link
Contributor

koto commented May 30, 2016

LGTM (modulo the notes above).

@molnarg
Copy link

molnarg commented May 31, 2016

LGTM

@mprobst
Copy link
Contributor Author

mprobst commented May 31, 2016

@rjamet I added a link in a somewhat random location. We're working on the security documentation, I plan to link to a central "here's all about security in Angular 2" doc once we have that.

@mprobst mprobst added pr_state: LGTM action: merge The PR is ready for merge by the caretaker and removed action: review action: review The PR is still awaiting reviews from at least one requested reviewer labels May 31, 2016
@@ -164,7 +191,8 @@ export const HTTP_PROVIDERS: any[] = [
BrowserXhr,
provide(RequestOptions, {useClass: BaseRequestOptions}),
provide(ResponseOptions, {useClass: BaseResponseOptions}),
XHRBackend
XHRBackend,
provide(XSRFHandler, {useValue: new CookieXSRFHandler()}),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

useClass ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope. Our injector does not support arguments with default values, it'll complain about a binding for String missing.

@mhevery
Copy link
Contributor

mhevery commented May 31, 2016

LGTM

Automatically recognize XSRF protection cookies, and set a corresponding XSRF
header. Allows applications to configure the cookie names, or if needed,
completely override the XSRF request configuration by binding their own
XSRFHandler implementation.

Part of angular#8511.
private _cookieName: string = 'XSRF-TOKEN', private _headerName: string = 'X-XSRF-TOKEN') {}

configureRequest(req: Request) {
let xsrfToken = getDOM().getCookie(this._cookieName);
Copy link

@tlaverdure tlaverdure Jun 17, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems related to this issue - #9294

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Sep 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
action: merge The PR is ready for merge by the caretaker area: security Issues related to built-in security features, such as HTML sanitation cla: yes feature Issue that requests a new feature
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants