feat(csrf): add cross-origin protection middleware#699
Conversation
Ports the CSRF protection scheme introduced in Go 1.25 (described in Filippo Valsorda's blog post) as a new optional `csrf` feature. The middleware combines `Sec-Fetch-Site`, an `Origin` allow-list, and an `Origin`/`Host` fallback to reject cross-origin state-changing requests without per-request token state.
|
One last time from by side: |
Fine by me, let's keep it opaque for now until we have a reason to open it up. |
jlizen
left a comment
jlizen
left a comment
There was a problem hiding this comment.
New changes are great, thanks, the custom rejection closure impl looks good.
The remaining bit is undoing the canonicalize for the comparisons, like we discussed, and optionally tweaking the error type to be more defensive semver.
Tremoneck
left a comment
Tremoneck
left a comment
There was a problem hiding this comment.
Just something I noticed when scrolling through. It would however not follow the Blog Post or the Go implementation.
|
I'll need a few days for the next round |
|
All remarks have been addressed and I've added two tracking issues (as proposed): #701 and #702 . One one more request for clarification: I am adding errors now in the service, not anymore in the default response. This is a bit more logical but this has not really a precedence (as far as I can tell) in the crate. LMK if that works for you. Addendum: following your style remarks |
3 participants
Ports the CSRF protection scheme introduced in Go 1.25 (described in Filippo Valsorda's blog post) as a new optional
csrffeature. The middleware combinesSec-Fetch-Site, anOriginallow-list, and anOrigin/Hostfallback to reject cross-origin state-changing requests without per-request token state.See #656 for context.