1. #1
    Sencha User
    Join Date
    Jun 2009
    Posts
    45
    Vote Rating
    9
    Max_nl will become famous soon enough

      0  

    Default Cross-site request forgery attack mitigation

    Cross-site request forgery attack mitigation


    I was wondering if there is any easy way to instruct the Ext.Direct code to always send an extra parameter (nonce token) with all calls to the server?


    I'm a bit concerned about the potential Ext.direct provides for CSRF attacks.
    Especially when it comes to the @formhandler calls that post the information to the server as normal HTML form data.

  2. #2
    Sencha - Senior Forum Manager mitchellsimoens's Avatar
    Join Date
    Mar 2007
    Location
    Gainesville, FL
    Posts
    37,412
    Vote Rating
    850
    mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute

      0  

    Default


    Are you going to have this backend only be reachable from one site?
    Mitchell Simoens @SenchaMitch
    Sencha Inc, Senior Forum Manager
    ________________
    Check out my GitHub, lots of nice things for Ext JS 4 and Sencha Touch 2
    https://github.com/mitchellsimoens

    Think my support is good? Get more personalized support via a support subscription. https://www.sencha.com/store/

    Need more help with your app? Hire Sencha Services services@sencha.com

    Want to learn Sencha Touch 2? Check out Sencha Touch in Action that is in print!

    When posting code, please use BBCode's CODE tags.

  3. #3
    Sencha User
    Join Date
    Jun 2009
    Posts
    45
    Vote Rating
    9
    Max_nl will become famous soon enough

      0  

    Default


    Quote Originally Posted by mitchellsimoens View Post
    Are you going to have this backend only be reachable from one site?
    Correct.
    (but I cannot rely on Referer checking, if that is what you are aiming at.)

  4. #4
    Sencha User
    Join Date
    Nov 2011
    Posts
    2
    Vote Rating
    0
    bcrowder is on a distinguished road

      0  

    Default


    It can be done by overriding the getCallData function of RemotingProvider:
    Code:
          Ext.direct.RemotingProvider.override({
             getCallData: function(transaction){
                return {
                      action: transaction.action,
                      method: transaction.method,
                      data: transaction.data,
                      type: 'rpc',
                      tid: transaction.id,
                      token: MyNS.MyToken
                };
             }
          });

Thread Participants: 2