Docs - Improve CSRF section 18.5.4 Multipart (file upload)

[andreiepure]

Summary

The current docs say that there are two options to handle CSRF protection with multipart/form-data - not having security on multi-part file transfer or sending the CSRF token with the URL. The second is a security breach, as the docs mention.

Expected Behavior

A third option should be added: adding the CSRF token to the XHR POST request header sent to the server. This option works, I have tested it with Spring-Boot 1.5.2.RELEASE. I detailed the steps on SO.

Basically, it follows the guideline of sending the CSRF token via an AJAX request (and submitting the multi-part form using an AJAX request).

Version

Spring Security 4.2.2 - 18.5.4 Multipart (file upload)

[ryanblais]

Including the CSRF token in the request header works for me as well (even if the MultipartFilter is not defined before the Spring Security filter). I agree that a third option should be added (and might be the best default suggestion). If there's a reason to avoid this approach I've overlooked it seems even more imperative to document it!

The relevant section is now under 13.1.5 CSRF Caveats - Multipart (file upload)

Tested using Spring Security 5.1.6

[olimination]

This third approach with adding the HTTP X-XSRF-TOKEN header to the request worked for me too. But I also needed to configure properly the CORS settings with Access-Control-Allow-Credentials=true and also on the client side the XHR object needed the withCredentials=true property set because I was using it in a single page app.

Tested using Spring Security 5.2.2

[rwinch]

Anyone here willing to submit a PR?

[signalman]

I'd love to work on this. Would it be possible?