Investigate the feasibility of replacing CSRF tokens #7983
jonasraoni
started this conversation in
Proposals
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Describe the problem you would like to solve
Based on this comment https://github.com/pkp/pkp-lib/pull/7578/files#r775369112.
I just remembered that some people have been experimenting with replacing CSRF tokens by the Origin header (e.g. https://www.brandur.org/fragments/origin).
The Origin header is somehow safe, if proxies attempt to remove/break it, they would also break CORS requests. The only bad thing I can remember is that old browsers didn't provide this header.
If that sounds interesting (easier to automate + less code), we can investigate it further.
Beta Was this translation helpful? Give feedback.
All reactions