[Owasp-csrfguard] Javascript generated links

Smitty smitty_in_vancouver at yahoo.com
Thu Aug 9 05:20:16 UTC 2012

I had to create a global variable with the token so I could include it in my custom JS code that opened new browser windows.   I didn't like the idea of this at first, but based on my research I couldn't find a reason why this would be any less secure.

var OWASPToken;   //outside the private function

//inside the csrfguard.js after it checks the isValidDomain

OWASPToken = {"name":"%TOKEN_NAME%", "value":"%TOKEN_VALUE%"};

I tried accessing this global from another JS file in a different domain and it wasn't able to access it, so I believe the browser same origin policy protects this.  So, again I believe this is no less secure.

The other option, but more intrusive to your app maybe would be to use the JavaScriptServlet to return your own JS files and it will replace the %TOKEN_VALUE% values in your own code.

I'm not an authority on this and still figuring out the best way, but these are my two cents.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20120808/36de528a/attachment.html>

More information about the Owasp-csrfguard mailing list