[Owasp-csrfguard] problems with dynamic images

Chris Hyzer mchyzer at isc.upenn.edu
Mon Oct 7 20:58:10 UTC 2013

I have a QR code that I would like not to be able to be requested unless the CSRF token is there.  Its not really working.  When I just have this it doesn't work (get an error about potential problem):

<img src="UiMain.qrCode.gif" height="300" width="300" />

And when I try to put the token in the query string, it also doesn't work (same error).  It does put two tokens in the request sometimes though (the Javascript at work... maybe it should see if there is already a code in the query string and not change those)

<img src="UiMain.qrCode.gif?<csrf:token-name/>=<csrf:token-value uri="${pageContext.request.contextPath}/twoFactorUi/app/UiMain.qrCode.gif"/>" height="300" width="300" />

Its not that important so I can add it to the ignore entries I guess


More information about the Owasp-csrfguard mailing list