page-cache
page-cache copied to clipboard
JosephSilber
Token mismatch
Definitely it's great work. I have a problem with token mismatch. It caches my view for GET request with html form but when submit the form it's fail because the package not updating the CSRF token in form which loaded with GET request and cached.
Getting CSRF token by ajax in html cache file might be security risk. What is the solution?
Why do you think getting via AJAX would be a security risk?
Suppose I am getting CSRF by endpoint example.com/csrf-token
public function serveCsrf(){
return csrf_token();
}
Now anyone can get the CSRF token by endpoint example.com/csrf-token from cross site and can make POST request easily to any POST request endpoint.
Browsers don't allow cross-site AJAX requests (unless specifically allowed via CORS headers).
Think about it: if this would be a concern, putting the CSRF token in the HTML would be open to the exact same attack. There would be nothing stopping a malicious site from making an AJAX request to your HTML page, and parse out the token.
Luckily browsers don't allow that!
Parsing content from an html page is easy, if CORS was all we needed then LinkedIn wouldn't have a problem blocking all the web scrappers. Using a headless browser is easy to capture a page and parse out the CSRF token. leaving your crsf on an endpoint is a security whole, the OP is correct.
The solution is actually already available to you, thanks to Laravel storing the CSRF in the cookie on every page visit. Check your developer toolbar for cookies and find XSRF-TOKEN storing the correct csrf token.
Just rewrite your application to pull this cookie and update it onReady.
