Allow XSRF to be sent as POST parameter in addition to HTML header

HTML headers can only be sent via JS, we need this change to allow secure POST form submission. The form itself will have a hidden "input" tag with the XSRF token in it. This is how other framework do it as well - see https://en.wikipedia.org/wiki/Cross-site_request_forgery#Synchronizer_token_pattern This is in preparation for the OT&E setup page, which will be a simple form with a "submit" button, so using JS for it is overkill. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=226178070
2025-06-10 06:24:45 +02:00 · 2018-12-19 08:35:40 -08:00 · 2018-12-19 08:35:40 -08:00 · da5a8796b8
commit da5a8796b8
parent 7c9b2172fd
3 changed files with 202 additions and 2 deletions
--- a/java/google/registry/security/XsrfTokenManager.java
+++ b/java/google/registry/security/XsrfTokenManager.java
@ -37,6 +37,9 @@ public final class XsrfTokenManager {
  /** HTTP header used for transmitting XSRF tokens. */
  public static final String X_CSRF_TOKEN = "X-CSRF-Token";

+  /** POST parameter used for transmitting XSRF tokens. */
+  public static final String P_CSRF_TOKEN = "xsrfToken";
+
  /** Maximum age of an acceptable XSRF token. */
  private static final Duration XSRF_VALIDITY = Duration.standardDays(1);