security - Csrfguard unprotected resources are protected -
i've added owasp csrfguard project , found resources such css , gif-s protected though defined unprotected next piece of configuration:
org.owasp.csrfguard.unprotected.public=%servletcontext%/resources/* org.owasp.csrfguard.unprotected.css=%servletcontext%/resources/css/main.css org.owasp.csrfguard.unprotected.js=*.js org.owasp.csrfguard.unprotected.scripts=*.js org.owasp.csrfguard.unprotected.styles=*.css org.owasp.csrfguard.unprotected.gif=*.gif org.owasp.csrfguard.unprotected.png=*.png org.owasp.csrfguard.unprotected.jpg=*.jpg
for js-s works fine. what's reason behaviour?thanks in advance.
i'm not sure reason is. know has href attributes (such used css , gif files). unprotected declarations in properties file works fine me when have csrfguard filter on requests (url pattern = "/*"), not when want specify servlet.
however, have found workaround. in web.xml, add init param owaspjavascriptservlet:
<init-param> <param-name>inject-into-attributes</param-name> <param-value>false</param-value> </init-param>
then resources href , src attributes should token-free. see documentation.
Comments
Post a Comment