security - Csrfguard unprotected resources are protected -


i've added owasp csrfguard project , found resources such css , gif-s protected though defined unprotected next piece of configuration:

org.owasp.csrfguard.unprotected.public=%servletcontext%/resources/* org.owasp.csrfguard.unprotected.css=%servletcontext%/resources/css/main.css org.owasp.csrfguard.unprotected.js=*.js org.owasp.csrfguard.unprotected.scripts=*.js org.owasp.csrfguard.unprotected.styles=*.css org.owasp.csrfguard.unprotected.gif=*.gif org.owasp.csrfguard.unprotected.png=*.png org.owasp.csrfguard.unprotected.jpg=*.jpg 

for js-s works fine. what's reason behaviour?thanks in advance.

i'm not sure reason is. know has href attributes (such used css , gif files). unprotected declarations in properties file works fine me when have csrfguard filter on requests (url pattern = "/*"), not when want specify servlet.

however, have found workaround. in web.xml, add init param owaspjavascriptservlet:

<init-param>     <param-name>inject-into-attributes</param-name>     <param-value>false</param-value> </init-param> 

then resources href , src attributes should token-free. see documentation.


Comments

Popular posts from this blog

twig - Using Twigbridge in a Laravel 5.1 Package -

jdbc - Not able to establish database connection in eclipse -

firemonkey - How do I make a beep sound in Android using Delphi and the API? -