Comments (6)
from csrf.
Very strange, being uploaded to real server there is no such a problem on the very same browser. But from mobile Chrome its again there. Desktop Firefox is also affected.
Test links with the above code compiled and running on port 6543
http://78.46.201.106:6543/ru/account/signup // Failing on some prowsers
http://78.46.201.106:6543/en/account/signup // Works ok
Other routes are also available for testing.
Complete code of this example:
package main
import (
"fmt"
"html/template"
"net/http"
"github.com/gorilla/csrf"
"github.com/gorilla/mux"
)
var form = `
<html>
<head>
<title>Sign Up!</title>
</head>
<body>
<form method="POST" action="/signup/post" accept-charset="UTF-8">
<input type="text" name="name">
<input type="text" name="email">
<!--
The default template tag used by the CSRF middleware .
This will be replaced with a hidden <input> field containing the
masked CSRF token.
-->
{{ .csrfField }}
<input type="submit" value="Sign up!">
</form>
</body>
</html>
`
var t = template.Must(template.New("signup_form.tmpl").Parse(form))
func main() {
r := mux.NewRouter()
r.HandleFunc("/signup", ShowSignupForm) // OK
r.HandleFunc("/en/account/signup", ShowSignupForm) // OK
r.HandleFunc("/ru/account/signup", ShowSignupForm) // FAIL! Forbidden - CSRF token invalid
r.HandleFunc("/r/account/signup", ShowSignupForm) // OK
r.HandleFunc("/ur/account/signup", ShowSignupForm) // OK
r.HandleFunc("/rus/account/signup", ShowSignupForm) // OK
r.HandleFunc("/ro/account/signup", ShowSignupForm) // OK
r.HandleFunc("/account/ru/signup", ShowSignupForm) // OK
// All POST requests without a valid token will return HTTP 403 Forbidden.
r.HandleFunc("/signup/post", SubmitSignupForm)
// Add the middleware to your router by wrapping it.
http.ListenAndServe(":6543",
csrf.Protect([]byte("32-byte-long-auth-key"), csrf.Secure(false))(r))
// PS: Don't forget to pass csrf.Secure(false) if you're developing locally
// over plain HTTP (just don't leave it on in production).
}
func ShowSignupForm(w http.ResponseWriter, r *http.Request) {
// signup_form.tmpl just needs a {{ .csrfField }} template tag for
// csrf.TemplateField to inject the CSRF token into. Easy!
t.ExecuteTemplate(w, "signup_form.tmpl", map[string]interface{}{
csrf.TemplateTag: csrf.TemplateField(r),
})
}
func SubmitSignupForm(w http.ResponseWriter, r *http.Request) {
// We can trust that requests making it this far have satisfied
// our CSRF protection requirements.
fmt.Fprintf(w, "%v\n", r.PostForm)
}
from csrf.
from csrf.
Thank you for your clues, that's make sence, I've tested this many times in incognito mode and results indeed different if i'm using different starting points. But I'm not writing any special cookies in this example, thats just as simple as above and still it works poorly. And if I use some simple paths like /subscribe there are no problems at all. What is a best practive for "resetting" of csrf? I've not found anything in the docs regarding this.
from csrf.
So in general problem is definitely not related to /ru/ but what's the best practice for rather simple case: navigation with laguage prefix if i want to switch language?
/en/login
/en/something/...
/fr/login
/fr/something/...
Login should be strictly at the root?
/login
And no other options?
from csrf.
Many thanks, hope this will be useful thread anyway.
from csrf.
Related Issues (20)
- [question] X-Csrf-Token is empty in Response headers (Secure is off) HOT 10
- [question] How to use gorilla/csrf for CSRF protection when authenticating with OpenID Connect? HOT 4
- Does gorilla-csrf really provide more security? HOT 7
- Default path can cause unexpected CSRF token rejections HOT 4
- [bug] Change default request header onto custom HOT 3
- csrf.go: ErrBadReferer due to empty r.URL.Host HOT 1
- [bug] Not providing token results in wrong error HOT 1
- [question] How do I set csrf token from React HOT 1
- Multiple _gorilla_csrf cookies create an issue HOT 2
- [bug] README.md does not mention the need to keep the CSRF key secret HOT 1
- user disabled/blocked cookies on their browser.
- [docs] HOT 1
- Cannot get basic version of in-browser Javascript application documentation working HOT 8
- Package is not `go get`able [bug] HOT 2
- CSRF middlware is not usable with go gin HOT 1
- [bug] Generate CSRF tokens for skipped requests
- Forbidden - CSRF token invalid
- [BUG] Middleware doesn't work with Chi HOT 1
- First request to protected endpoint fails, CSRF header is empty
- [Question] How to log HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csrf.