FRESH

Hacker News

CSRF Protection Without Tokens or Hidden Form Fields

17 points by ibobev

by nchmy

1 subcomments

As someone who was involved in these changes to the OWASP cheat sheet, I'm glad to see this getting implemented in the wild, as well as for the nice blog post about it all.
However, one point of clarification
> Several participants in that discussion have suggested that this method should be upgraded to a complete alternative to the standard token-based approaches. The OWASP maintainer was initially skeptical, but towards the end of the thread they appear to be warming up to the idea and in search of opinions from other leading security experts. So it is quite possible that this method will become mainstream in the near future.
The maintainer didn't just warm up to the idea - they came to accept it, otherwise the changes wouldn't have ever landed. So, the quoted section is somewhat unintentionally calling the maintainer's integrity into question.
Though, I just noticed that the cheatsheet text has changed significantly from what we settled upon. Fetch Metadata has been relegated again to defense in depth status. Hopefully there was just some mistake.

by Eridrus

2 subcomments

It's good that folks working on browsers are working on making this easier, but I don't think you can really rely on this for GET requests.
It's often easier to smuggle a same-origin request than to steal a CSRF token, so you're widening the set of things you're vulnerable to by hoping that this can protect state mutating GETs.
The bugs mentioned in the GitHub issue are some of the sorts of issues that will hit you, but also common things like open redirects turn into a real problem.
Not that state mutating GETs are a common pattern, but it is encoded as a test case in the blog post's web framework.