[question] Downsides of `csrf.Path("/")`?
adiabatic opened this issue · 2 comments
adiabatic commented
After looking at all the issues with "Path" in them, I've added csrf.Path("/") to the list of options I'm passing to csrf.Protect(). Now, when I POST to /dashboard/bags/new/ from /dashboard/ I don't get a CSRF-token-invalid error.
That said, the documentation for Path says that the default is the path the cookie was issued from. What, if anything, am I risking by having just the one CSRF cookie for /?
elithrar commented
The risk is primarily around conflicting with other parts of your
application - especially in multi-team architectures, or where you don’t
want to send cookies to certain backends.
Note that this is the default behavior of a cookie: not setting the Path
attribute has it default to the current path.
…On Thu, Sep 19, 2019 at 3:03 PM adiabatic ***@***.***> wrote:
After looking at all the issues with "Path" in them
<https://github.com/gorilla/csrf/issues?utf8=%E2%9C%93&q=is%3Aissue+Path>,
I've added csrf.Path("/") to the list of options I'm passing to
csrf.Protect(). Now, when I POST to /dashboard/bags/new/ from /dashboard/
I don't get a CSRF-token-invalid error.
That said, the documentation for Path
<https://godoc.org/github.com/gorilla/csrf#Path> says that the default is
the path the cookie was issued from. What, if anything, am I risking by
having just the one CSRF cookie for /?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#122?email_source=notifications&email_token=AAAEQ4F2YIZEDE6KCASXYUDQKPZKJA5CNFSM4IYQQLK2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HMRCYUA>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAAEQ4FLS7EIZSGSPG2VSELQKPZKJANCNFSM4IYQQLKQ>
.
adiabatic commented
Good to know. Thanks!