Comments (5)
Since all form requests will be cross-origin, wouldn't it be enough to check that the Origin
header matches a value defined in the config?
from staticman.
For browsers sure, but it's easy to spoof anything with cURL, Ruby or any scripted language (including JavaScript on metal.) and send whatever data you need send. If moderation were enabled it makes it easier to catch these issues but without it, it becomes a problem.
from staticman.
I guess what I am saying is, I can send whatever origin pleases me if it's not in a browser and even then I might still be able to with a few patches if I really really wanted to (but that's not worth it.) But sending random spam with cURL is easy with origin.
from staticman.
I'm with you, that makes sense.
I know the basics of using a token for CSRF protection, but I confess I'll have to think/investigate a bit to come up with an implementation for this specific case.
The token is usually generated and appended to the page server-side, which of course we can't do here. This is why you mentioned an iframe, if I understand correctly. Would you load the form from a non-static source, so that it can generate a token? And wouldn't this source have to be the Staticman API, or not necessarily?
(On a side note, I guess still adding a check for Origin
wouldn't hurt?)
from staticman.
Closing due to inactivity. If you're able to provide any more info and assist with direction, please reopen.
from staticman.
Related Issues (20)
- code: 'ERR_OSSL_UNSUPPORTED' HOT 3
- Prevent javascript injection
- Supporting a more secure hash for email addresses
- Error: Require an `oauthToken` or `token` option HOT 1
- How can you change the Time Zone HOT 1
- Improve documentation for self-hosted staticman + gitlab HOT 6
- "INVALID VERSION" HOT 2
- Support for email servers other than Mailgun HOT 5
- Error: error:02000079:rsa routines::oaep decoding error HOT 1
- [GITHUB_READING_FILE]
- Gitlab and Heroku deployment
- run on vercel
- Heroku shutting down their free tier HOT 38
- Is this project still active? HOT 8
- Unexpected End of JSON Input
- Error 500 [InvalidAsn1Error]: encoding too long HOT 1
- errorCode: INVALID_VERSION when trying to accept the GitHub bot invitation HOT 3
- "errorCode":"GITLAB_READING_FILE"} HOT 2
- RSA private key encoding too long HOT 2
- Staticman for Hugo ? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from staticman.