Comments (12)
Crumb protection is not being skipped when CORS is turned on. The crumb cookie will only be set for domains listed in the allowOrigins
setting, but crumb protection will still be enabled for all requests. The whole purpose of the security fix was to not leak the crumb token to unauthorized Cross Origin requests.
If crumb is not currently behaving like this, it is a bug.
Will verify today.
from crumb.
We might need to expose the Origin match utility in hapi then to do this properly.
from crumb.
Does it just not set the cookie or also doesn't validate the form if no cookie is set?
from crumb.
@hueniverse if a CORS request is from an unknown Origin, the generate
function isn't called and a cookie isn't returned.
That is the only code affected by CORS
Where is the Origin match utility in HAPI? I would be happy to integrate that
from crumb.
Can you explain this to me: https://github.com/hapijs/crumb/blob/master/lib/index.js#L203-L206
It makes no sense. You are comparing the incoming host header to the connection host. The way you are testing it is based on the old shot module behavior where it didn't set the host header properly. I upgraded to hapi 11 and half the tests broke.
from crumb.
In hapi v12 you should use request.info.cors.isOriginMatch
exclusively without using any of the custom config stuff you have in crumb right now. IOW, we need a new major version of crumb for hapi v12.
from crumb.
Ok will do. Thanks for exposing that
On Jan 2, 2016 2:23 PM, "Eran Hammer" [email protected] wrote:
In hapi v12 you should use request.info.cors.isOriginMatch exclusively
without using any of the custom config stuff you have in crumb right now.
IOW, we need a new major version of crumb for hapi v12.—
Reply to this email directly or view it on GitHub
#61 (comment).
from crumb.
Using request.info.cors.isOriginMatch
alone won't allow a route to set the crumb for a CORS client and same-origin client (ie server rendered page)
That was what the extra logic had been for. Set crumb if it's a same-origin request OR an allowed CORS origin.
Maybe we don't support that, but it had been a request that came in an issue.
from crumb.
What does it mean "same origin request"? This line: https://github.com/hapijs/crumb/blob/master/lib/index.js#L203-L206 makes no sense as described above. Upgrade the tests to hapi v12 and see what happens.
from crumb.
I have already upgraded and tested locally (hapi12) branch.
Sorry for not explaining well. What I'm trying to describe is an edge case and probably not worth supporting.
Should be able to PR the update later today
from crumb.
6.0.0 release addresses this
from crumb.
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
from crumb.
Related Issues (20)
- How does the check between the cookie and the header actually work? HOT 5
- Publish version 7.2.0 to npm HOT 6
- Getting a deprecation warning when installing HOT 2
- cookie not being parsed into request.headers instead still in request.state.crumb HOT 2
- unable to implement crumb for csrf protection in application with api's developed using hapi and front end developed using angular HOT 3
- Suggest to secure cookie by default in documentation HOT 3
- Change module namespace HOT 1
- Action required: Greenkeeper could not be activated 🚨 HOT 1
- Update deps HOT 1
- Update joi HOT 1
- Per-Request VS Per-Session option? HOT 4
- support legacy cookies for samesite policy in iframe HOT 1
- Only node 12
- Change plugin name to @hapi/crubm
- Drop hapi v17 and v18
- isSecure settings are not working HOT 1
- Plugin strips security headers HOT 3
- Unable to add crumb token to payload with h2o2 proxy HOT 3
- HMAC based token pattern
- PUT / DELETE requests don't do crumb validation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crumb.