[Ur] CSRF protection
Adam Chlipala
adamc at csail.mit.edu
Mon Nov 25 18:12:27 EST 2013
On 11/25/2013 05:55 PM, Chris Double wrote:
> If I understand corrctly, Ur/Web has built in CSRF protection for
> forms. Does this extend to post requests done via 'rpc' calls in
> 'onclick' handlers on buttons? For example:
>
> <button onclick={fn _ => rpc (delete_something ))/>
>
> Can the POST request that occurs in the onclick be recorded and
> replayed, or run via an evil site in a iframe (or any other CSRF
> vector)?
>
> A quick test gave me a cookie error so I'm thinking it's safe but I'd
> like to confirm.
>
All requests that cause persistent side effects are meant to be
CSRF-protected. There's something in particular in there for [rpc].
I'm not sure offhand if there are holes, maybe via 'safeGet', but the
intent is that you're OK if you don't go making funny .urp settings.
More information about the Ur
mailing list