1. #1
    Sencha User
    Join Date
    Jun 2009
    Posts
    45
    Vote Rating
    5
    Max_nl is on a distinguished road

      0  

    Default Cross-site request forgery attack mitigation

    Cross-site request forgery attack mitigation


    I was wondering if there is any easy way to instruct the Ext.Direct code to always send an extra parameter (nonce token) with all calls to the server?


    I'm a bit concerned about the potential Ext.direct provides for CSRF attacks.
    Especially when it comes to the @formhandler calls that post the information to the server as normal HTML form data.

  2. #2
    Sencha - Senior Forum Manager mitchellsimoens's Avatar
    Join Date
    Mar 2007
    Location
    Gainesville, FL
    Posts
    36,754
    Vote Rating
    828
    mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute

      0  

    Default


    Are you going to have this backend only be reachable from one site?
    Mitchell Simoens @SenchaMitch
    Sencha Inc, Senior Forum Manager
    ________________
    Check out my GitHub, lots of nice things for Ext JS 4 and Sencha Touch 2
    https://github.com/mitchellsimoens

    Think my support is good? Get more personalized support via a support subscription. https://www.sencha.com/store/

    Need more help with your app? Hire Sencha Services services@sencha.com

    Want to learn Sencha Touch 2? Check out Sencha Touch in Action that is in print!

    When posting code, please use BBCode's CODE tags.

  3. #3
    Sencha User
    Join Date
    Jun 2009
    Posts
    45
    Vote Rating
    5
    Max_nl is on a distinguished road

      0  

    Default


    Quote Originally Posted by mitchellsimoens View Post
    Are you going to have this backend only be reachable from one site?
    Correct.
    (but I cannot rely on Referer checking, if that is what you are aiming at.)

  4. #4
    Sencha User
    Join Date
    Nov 2011
    Posts
    2
    Vote Rating
    0
    bcrowder is on a distinguished road

      0  

    Default


    It can be done by overriding the getCallData function of RemotingProvider:
    Code:
          Ext.direct.RemotingProvider.override({
             getCallData: function(transaction){
                return {
                      action: transaction.action,
                      method: transaction.method,
                      data: transaction.data,
                      type: 'rpc',
                      tid: transaction.id,
                      token: MyNS.MyToken
                };
             }
          });

Thread Participants: 2

Turkiyenin en sevilen filmlerinin yer aldigi xnxx internet sitemiz olan ve porn sex tarzi bir site olan mobil porno izle sitemiz gercekten dillere destan bir durumda herkesin sevdigi bir site olarak tarihe gececege benziyor. Sitenin en belirgin ozelliklerinden birisi de Turkiyede gercekten kaliteli ve muntazam, duzenli porno izle siteleri olmamasidir. Bu yuzden iste. Ayrica en net goruntu kalitesine sahip adresinde yayinlanmaktadir. Mesela diğer sitelerimizden bahsedecek olursak, en iyi hd porno video arşivine sahip bir siteyiz. "The Best anal porn videos and slut anus, big asses movies set..." hd porno faketaxi