[Fedora Infrastructure] #3796: remove _csrf_token from display URLs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



#3796: remove _csrf_token from display URLs
--------------------------+-----------------------------
  Reporter:  till         |      Owner:  webmaster
      Type:  enhancement  |     Status:  new
  Priority:  major        |  Milestone:  HANDWAVY-FUTURE
 Component:  Web Content  |    Version:
  Severity:  Normal       |   Keywords:
Blocked By:               |   Blocking:
 Sensitive:  0            |
--------------------------+-----------------------------
 = problem =
 Several web-apps use a URL paramenter called _csrf_token to prevent CSRF
 attacks. This token is shown in the URL location bar in browsers and makes
 URLs ugly and might lead to people exposing their CSRF token in e-mails.

 = analysis =
 HTML5 allows to manipulate the contents of the URL location bar.

 = enhancement recommendation =

 Deploy JavaScript like
 {{{
 new_url = window.location.href.replace(/_csrf_token=[0-9a-f]{40}/,
 "").replace(/(\?|&)$/, "");
 history.replaceState({}, document.title, new_url);
 }}}
 to remove the CSRF token from URLs shown in Browsers.

 This code might be adjusted to work in all browsers, but it works at least
 in Firefox. Maybe a JavaScript expert can take a look. The only
 disadvantage of this method is that going back in the history will reload
 a page that requires to reload re-verify. But this might be solved by
 storing the CSRF token in the history state. Also it does not seem to
 cause really trouble.

-- 
Ticket URL: <https://fedorahosted.org/fedora-infrastructure/ticket/3796>
Fedora Infrastructure <http://fedoraproject.org/wiki/Infrastructure>
Fedora Infrastructure Project for Bugs, feature requests and access to our source code.
-- 
websites mailing list
websites@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/websites





[Index of Archives]     [Fedora Users]     [Linux ARM]     [ARM Kernel]     [Older Fedora Users]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux