Potential for reset password link with token to leak to third-parties via the Referer header #5003
Comments
|
There's a discussion about this in this PR: #4366 |
|
Rails started setting |
|
I didn't know about that @sonalkr132, thanks for sharing! I'm more inclined to use the |
|
The Which means that there actually has to be a stronger way to enforce this. In my opinion, the session idea from Clearance sounds nice. |
I searched to see if this had been brought up before and couldn't find any open or closed issue or PR that mentioned it. If there is one and I missed it, please let me know.
As discussed in this thoughtbot article the reset password link with the token can be leaked to third-parties (CDN, analytics, links to other third-party domains from your site) via the Referer header which is sent by the browser with all requests from the current page (edit password in this case). To fix this in our app I've done something similar to what they did to solve this in Clearance by temporarily storing the reset password token in the session and redirecting the user back to the password edit page without the reset password token in the url params. The token is then pulled from the session to be used in the form.
I'm wondering if this is something you'd be interested in fixing in Devise and if so I'd be happy to put in a PR.
The text was updated successfully, but these errors were encountered: