Demos · Guide · Class Reference · Wiki · Extensions · Live Chat
search

Yii Framework Forum: Csrf Validation Problem For Requests With Content-Type: Application/json - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Csrf Validation Problem For Requests With Content-Type: Application/json I have a problem with json-rpc service when CSRF validation is enabled Rate Topic: -----

#1 User is offline   Bogdan Savluk 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 34
  • Joined: 20-April 10
  • Location:Kiev

Posted 08 November 2012 - 03:46 PM

I am developing TinyMCE extension for yii http://www.yiiframew...sion/newtinymce

TinyMCE has a plugin for spellchecking, this plugin relies on json-rpc service on server side (https://github.com/t...pellchecker_php).

I have written an action for yii which will handle all requests for this service: TinyMceSpellcheckerAction.php

But when csrf validation is enabled all requests to this service will be rejected because requests have content-type is "application/json" and even if csrf token will be passed within request - it could not be validated by Yii.

I have following suggestions in order to solve this problem:
1. Skip validation, for all requests with content-type application/json in CHttpRequest
2. Move csrf validation, from CHttpRequest into filter in controllers
3. Separate entry point for such requests

So my question is - what is the best way to handle such requests with Yii?
0

#2 User is offline   Bogdan Savluk 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 34
  • Joined: 20-April 10
  • Location:Kiev

Posted 09 November 2012 - 02:29 AM

About first suggestion, corespounding request class below:
class HttpRequest extends CHttpRequest
{
    public function validateCsrfToken($event)
    {
        $contentType = isset($_SERVER["CONTENT_TYPE"]) ? $_SERVER["CONTENT_TYPE"] : null;
        if ($contentType !== 'application/json')
            parent::validateCsrfToken($event);
    }
}

0

#3 User is offline   redguy 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 588
  • Joined: 02-July 10
  • Location:Central Poland

Posted 09 November 2012 - 10:54 AM

it is not about content type, but rather how is the request prepared. CSRF works for every POST request by default. Problem is with AJAX POST request which should have CSRF token, but they don't (you should add it by yourself). If you can't add CSRF token to some AJAX requests you should consider disabling CSRF in some cases. I do not know if disabling it by content-type is good solution, because it is insecure as it is too generic. In applications I am familiar with we rather created custom HttpRequest with whitelist for some controller/action entries so you could disable CSRF just for single action:
class HttpRequest extends CHttpRequest {

    public $dont_validate_csrf_routes = array();

   public function validateCsrfToken($event) {
        if( !in_array(Yii::app()->request->url, $this->dont_validate_csrf_routes) ) {
            parent::validateCsrfToken($event);
        }
    }
}

red
1

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users