Chris CS> HTTP POST should not be prohibited unless I'm reading CS> both the code and the CSRF specs incorrectly.
cjb> Pretend that it does. How would you solve that? CS> You have to manually add the CSRF token in each <form> CS> in a hidden FORM parameter. It's doable, but it sucks to CS> have to do that across your whole application. Yeah, that would be tedious. In my old JSP days we had a function "htmFormBegin" that we called to auto-populate all the needed hidden fields on every page for every form. (It could have been a tag.) The discipline of using that function instead of hard coding all the forms made changes like that trivial. Ah well. CS> Application B has a feature where we present a web form to the user. CS> It's fairly simple (paraphrasing): CS> <form method="POST" action="/application_a/save_comment"> CS> <textarea name="comment"></textarea> </form> cjb> What happens if you cheat? Can you use a redirect from cjb> B to A instead, or will that violate the filter rules? CS> That would be even more complicated. I'm looking for "simple" :) It's too bad the CSRF handling can't be offloaded to the load balancer instead. Or perhaps an exception list could be added to the TC filter. It sounds like, in your case, CSRF *should* be allowed as an exception between your 2 apps, if I understand it correctly. FWIW, even if my suggestions suck, I hope maybe that can provoke to "think outside the box" instead. -- Cris Berneburg CACI Senior Software Engineer ________________________________ This electronic message contains information from CACI International Inc or subsidiary companies, which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately.
