Usage of XMLHttpRequest in a WebComponent with Google Polymer 1.x

[eitch]

This is an interesting project, thank you for your time building it.

One question that i have: What configuration is needed for XMLHttpRequest in a WebComponent context.

I have a single page application, which uses Google Polymer 1.x (https://polymer-library.polymer-project.org/1.0/docs/devguide/feature-overview). This has a WebComponent iron-ajax (https://github.com/PolymerElements/iron-ajax/tree/1.x), which uses XMLHttpRequest internally.

I was able to configure my project to using "Scenario: everything is protected, except...".

In some cases it works, and then suddenly the request token is not updated, generating "Request Token does not match Page Token". If i use TokenPerPage=true, then my issues are gone, but i am wondering if this makes the solution less secure.

[forgedhallpass]

Hello @eitch,

Unfortunately I am not familiar with Google Polymer, but if it uses XMLHttpRequests internally and the csrfguard.js script runs first, which overrides some of the functions then it should theoretically work.

The documentation of the TokenPerPage configuration can be found in the csrfguard.properties file. If it is disabled then there will not be unique tokens assigned to different endpoints, and the solution will only use a single masterToken. Both can prevent basic CSRF attacks, but if you have an XSS vulnerability in your solution, it will be hardER (not impossible) to exploit if the TokenPerPage is enabled, because more logic is needed for it.