Usage of XMLHttpRequest in a WebComponent with Google Polymer 1.x #205
-
|
This is an interesting project, thank you for your time building it. One question that i have: What configuration is needed for XMLHttpRequest in a WebComponent context. I have a single page application, which uses Google Polymer 1.x (https://polymer-library.polymer-project.org/1.0/docs/devguide/feature-overview). This has a WebComponent iron-ajax (https://github.com/PolymerElements/iron-ajax/tree/1.x), which uses XMLHttpRequest internally. I was able to configure my project to using "Scenario: everything is protected, except...". In some cases it works, and then suddenly the request token is not updated, generating "Request Token does not match Page Token". If i use TokenPerPage=true, then my issues are gone, but i am wondering if this makes the solution less secure. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hello @eitch, Unfortunately I am not familiar with Google Polymer, but if it uses The documentation of the |
Beta Was this translation helpful? Give feedback.
Hello @eitch,
Unfortunately I am not familiar with Google Polymer, but if it uses
XMLHttpRequests internally and thecsrfguard.jsscript runs first, which overrides some of the functions then it should theoretically work.The documentation of the
TokenPerPageconfiguration can be found in thecsrfguard.propertiesfile. If it is disabled then there will not be unique tokens assigned to different endpoints, and the solution will only use a singlemasterToken. Both can prevent basic CSRF attacks, but if you have an XSS vulnerability in your solution, it will be hardER (not impossible) to exploit if theTokenPerPageis enabled, because more logic is needed for it.