Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6786

CsrfPreventionRequestCycleListener should support Fetch Metadata Request Headers

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 9.0.0-M5, 8.8.0
    • 9.1.0
    • wicket-core
    • None

    Description

      CsrfPreventionRequestCycleListener tries to determine the origin of a request via interpretation of the origin header and use this to block cross origin requests. The origin header however is not very reliable. For example, when a user opens a link in a new tab, the header is not sent. Fetch Metadata Request Headers (https://w3c.github.io/webappsec-fetch-metadata/) aims to solve this via a set of well defined headers. For Wicket, sec-fetch-site is the most important: same-origin is safe, none is a user opening a link via (for example) a bookmark, same-site and cross-origin should be blocked.

      Attachments

        Activity

          People

            papegaaij Emond Papegaaij
            papegaaij Emond Papegaaij
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: