feat(security): Automatic XSRF handling. by mprobst · Pull Request #8898 · angular/angular

mprobst · 2016-05-28T03:24:20Z

The commit message follows our guidelines: https://github.com/angular/angular/blob/master/CONTRIBUTING.md#commit-message-format
Tests for the changes have been added (for bug fixes / features)
Docs have been added / updated (for bug fixes / features)

What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

Feature

Does this PR introduce a breaking change?

Yes
No

Automatically recognize XSRF protection cookies, and set a corresponding XSRF
header. Allows applications to configure the cookie names, or if needed,
completely override the XSRF request configuration by binding their own
XSRFHandler implementation.

Part of #8511.

mprobst · 2016-05-28T03:25:18Z

@rjamet PTAL from a security perspective.
@mhevery PTAL for the new API addition (see public_api_spec.ts).

rjamet · 2016-05-30T11:20:56Z

modules/@angular/http/http.ts

Somewhat out of scope, but it's probably the right place to put a warning saying that Angular won't do that for you, and your backend has to check that in every relevant api point ?

rjamet · 2016-05-30T11:25:02Z

LGTM on the code, +@koto and @molnarg anyways.

However, this might need more doc, or links to https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) for instance ? The problem is straightforward, but it's not obvious how Angular having this automatic header addition from cookie values helps, and what should a developer do with this to prevent issues.

koto · 2016-05-30T22:13:19Z

modules/@angular/http/src/backends/xhr_backend.ts

Usually the GET requests don't need the XSRF token, but if Angular 1 did it for GET as well (I don't know that), it's better to have backwards compatibility here.

I think it did, a quick review of the doc and implementation doesn't seem to discriminate on that (doc at https://github.com/angular/angular.js/blob/0727bfc141db6e60bce2fb1e09ad4f53963dec5d/src/ng/http.js#L770)

Yeah, not needed, but I think it's better to make it a decision of the server side when to enforce XSRF, and just unconditionally send the headers by default here.

koto · 2016-05-30T22:15:05Z

LGTM (modulo the notes above).

molnarg · 2016-05-31T13:20:57Z

LGTM

mprobst · 2016-05-31T17:49:55Z

@rjamet I added a link in a somewhat random location. We're working on the security documentation, I plan to link to a central "here's all about security in Angular 2" doc once we have that.

vicb · 2016-05-31T17:54:21Z

modules/@angular/http/http.ts

useClass ?

Nope. Our injector does not support arguments with default values, it'll complain about a binding for String missing.

mhevery · 2016-05-31T18:04:08Z

LGTM

Automatically recognize XSRF protection cookies, and set a corresponding XSRF header. Allows applications to configure the cookie names, or if needed, completely override the XSRF request configuration by binding their own XSRFHandler implementation. Part of angular#8511.

tlaverdure · 2016-06-17T22:16:06Z

modules/@angular/http/src/backends/xhr_backend.ts

+  constructor(
+      private _cookieName: string = 'XSRF-TOKEN', private _headerName: string = 'X-XSRF-TOKEN') {}
+
+  configureRequest(req: Request) {


Seems related to this issue - #9294

googlebot added the cla: yes label May 28, 2016

mprobst assigned robwormald May 28, 2016

mprobst mentioned this pull request May 28, 2016

Angular 2 Security Tracking Issue #8511

Closed

17 tasks

mprobst added action: review The PR is still awaiting reviews from at least one requested reviewer action: review area: security Issues related to built-in security features, such as HTML sanitation feature Label used to distinguish feature request from other issues labels May 28, 2016

rjamet reviewed May 30, 2016
View reviewed changes

koto reviewed May 30, 2016
View reviewed changes

mprobst added pr_state: LGTM action: merge The PR is ready for merge by the caretaker and removed action: review action: review The PR is still awaiting reviews from at least one requested reviewer labels May 31, 2016

mprobst force-pushed the xsrf branch from 850681f to 137d9e3 Compare May 31, 2016 17:50

vicb reviewed May 31, 2016
View reviewed changes

mprobst force-pushed the xsrf branch from 137d9e3 to 4d793c4 Compare May 31, 2016 23:12

mprobst merged commit 4d793c4 into angular:master May 31, 2016

laskoviymishka mentioned this pull request Jun 13, 2016

Create Universal cookies module angular/universal#273

Closed

tlaverdure reviewed Jun 17, 2016
View reviewed changes

Conversation

mprobst commented May 28, 2016

Uh oh!

mprobst commented May 28, 2016

Uh oh!

rjamet May 30, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

rjamet commented May 30, 2016

Uh oh!

koto May 30, 2016

Choose a reason for hiding this comment

Uh oh!

rjamet May 31, 2016

Choose a reason for hiding this comment

Uh oh!

mprobst May 31, 2016

Choose a reason for hiding this comment

Uh oh!

koto commented May 30, 2016

Uh oh!

molnarg commented May 31, 2016

Uh oh!

mprobst commented May 31, 2016

Uh oh!

vicb May 31, 2016

Choose a reason for hiding this comment

Uh oh!

mprobst May 31, 2016

Choose a reason for hiding this comment

Uh oh!

mhevery commented May 31, 2016

Uh oh!

tlaverdure Jun 17, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

rjamet May 30, 2016 •

edited

Loading

tlaverdure Jun 17, 2016 •

edited

Loading