Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-1825

Relax restrictions on GET requests, so that the presence of a custom header isn't necessary

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: OpenIDM 3.0.0
    • Fix Version/s: OpenIDM 3.0.0
    • Component/s: Module - Authorization
    • Labels:
      None

      Description

      According to this NSA guideline: http://www.nsa.gov/ia/_files/support/guidelines_implementation_rest.pdf (page 14):

      It is important to note that because CSRF is a blind attack and cannot read content 
      from an attack, CSRF protections need only be applied to endpoints that will modify 
      information in some way. This means that if a true RESTful implementation is used, 
      the CSRF protections described above only need to be applied to requests using the 
      POST, PUT or DELETE verbs. This assumes that GET is used as intended by RFC 
      2616. If a non-standard RESTful implementation is used, the need for CSRF 
      protection on an endpoint will vary by application. 
      

      The "protections described above" mention the check for a custom http header, as we are currently doing for CSRF attack prevention. We should keep this in place for most verbs, but there is no need to do so for GET requests (as they are always read-only and the response isn't available to a CSRF attacker). Having this restriction on GET is a hassle for legitimate clients which might wish to do a direct read on an endpoint (particularly browsers using something other than XHR). This will become especially relevant we when start serving non-JSON content from our endpoints (ref: CREST-108). This will be an easy change - a simple update to our default router-authz.js file.

        Attachments

          Activity

            People

            Assignee:
            jake.feasel Jake Feasel
            Reporter:
            jake.feasel Jake Feasel
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: