XSRF-TOKEN httpOnly cookie

[thiagomdiniz]

Hi,
It seems that a security feature added in version 4.1.0 is preventing us from updating Agate, because our corporate firewall forces all cookies to be httpOnly, and from what I've checked, the added feature requires JavaScript to access the XSRF-TOKEN cookie in order to send the x-xsrf-token header in requests.

Would it be possible to validate the xsrf only through the httpOnly cookie?

References:

• feat: improve CSRF protections #636
• feat: added samesite cookies and double submit cookie pattern #636 #637

Thank you!

[thiagomdiniz]

I'm not sure if it should be like that too. Shouldn't it retrieve the value from the csrf.allowed configuration?

agate/agate-rest/src/main/java/org/obiba/agate/web/rest/security/CorsFilter.java

Line 14 in 64e3f6a

responseContext.getHeaders().add("Access-Control-Allow-Origin", "http://localhost:9000");

Thanks again!

[thiagomdiniz]

I understand that the header can be important for double validation of CSRF (cookie and header).
I'm also internally checking the possibility of disabling the forced httpOnly configuration on the proxy.

[kazoompa]

The http://localhost:9000 is a default value it should not cause any issue. I have installed the latest Agate on our Staging server and tried to delete a newly created user and did not have any issue. I would try to install the latest version 4.2.1 and see if you still have the issue.

This Agate is Docker container and used Apache reverse-proxy.

[ymarcon]

This cookie cannot be httpOnly as it needs to be read by the app to feed it back in the header. This is coming from the OWASP recommendation:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

More specifically see (1) at https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#csrf-prevention-in-modern-frameworks

[kazoompa]

@ymarcon May know better but do you see these two logs in your agate.log?

This filter uses csrf.allowed and it is initialize here

[thiagomdiniz]

This cookie cannot be httpOnly as it needs to be read by the app to feed it back in the header. This is coming from the OWASP recommendation: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

More specifically see (1) at https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#csrf-prevention-in-modern-frameworks

Perfect, thank you. I've already relayed the technical reasons and informed the security team that we need to disable forced httpOnly for Agate; otherwise, the system will not function properly.