signed request from url param#164
Conversation
|
This is a potential CSRF vulnerability, since an attacker can take their signed request (from the same app) and construct a URL with it and then get somebody else to click it. That could potentially allow the attacker to take control of the clicker's account on the app. The reason that it's safe to read the signed request from the cookie (as the library already supports) is because it's not possible to set arbitrary cookies on a domain from an unprivileged context (in contrast to a URL). The only safe way to support reading the signed request from the URL would be if it used the existing CSRF protection mechanism (via the state token). Depending on the context (I suspect you might be wanting this for FB games login?) that might not be possible. Does that make sense? |
|
You're right. What if I made sure this parameter is taken into account only during post/put requests? I need this for a widget with a Facebook login that may reside inside an iframe. Third party cookies are disabled by default with Safari, so I need to pass the signed request through the callback request : FB.login(function(response) {
if (response.authResponse) {
$.getJSON('/customers/auth/facebook/callback?' +
$.param({ signed_request: response.authResponse.signedRequest }), function(json) {
// do stuff
});
}
}, { scope: 'email,public_profile,user_friends' });I'll make the changes. |
|
While trying to implement this, I came to realize that CSRF protection cannot work without cookies, so AFAIK there is no CSRF secure solution for supporting the token being passed through either post or get requests. @mkdynamic, if you agree, we can close this. |
|
Hmm, I'm wondering if similar approach as in #174 should be used here also. |
|
@simi |
|
I was thinking in different way, but it is not possible, since this is not similar case. Sorry. |
3 participants
added the possibility to get a signed request from the signed_request url parameter