Investigate the feasibility of replacing CSRF tokens #7983
jonasraoni
started this conversation in
Proposals
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Describe the problem you would like to solve
Based on this comment https://github.com/pkp/pkp-lib/pull/7578/files#r775369112.
I just remembered that some people have been experimenting with replacing CSRF tokens by the Origin header (e.g. https://www.brandur.org/fragments/origin).
The Origin header is somehow safe, if proxies attempt to remove/break it, they would also break CORS requests. The only bad thing I can remember is that old browsers didn't provide this header.
If that sounds interesting (easier to automate + less code), we can investigate it further.
Beta Was this translation helpful? Give feedback.
All reactions