avlidienbrunn / anti-csrf-plugin Goto Github PK

It'll think that the "main domain" is "co.uk" and thus allow anything to be CSRF'd there. Thanks @fransrosen for pointing this out.

Currently you can still do GET CSRF if you redirect the main window (navigate) to the URL. GET CSRF via images/other is still blocked though.

This loops over details.responseHeaders and changes it in the loop. Will it break?

for (var i = 0; i < details.responseHeaders.length; ++i) {
    if (details.responseHeaders[i].name === 'Set-Cookie') {
        details.responseHeaders.splice(i, 1);
        //No break here since multiple set-cookie headers are allowed in one response.
    }
}

By visiting Site1 and then manually typing Site2 in the URL bar, the plugin will strip cookies although it shouldn't since the request was manually initiated. Same with back/forward button and bookmark field.

The code currently keeps track of the current URL by holding an array of tab object(s). This is because I didn't find any synchronous way to get the current URL of the tab issuing the request, but if that's possible somehow it will be a significant performance boost. And nicer code to look at.

Currently I just reload the tab (this makes blocked POST requests valid), but there are many scenarios where this won't solve the issue.

Some sites will set a new session and destroy the old one in the process when a request is made using a faulty and/or missing session cookie. This leads to the user being logged out from the stripped site.