5

I have done a few mobile apps using django as my backend, and now I am working on a chrome extension. I want my users to be able to send POST requests up to the server using the app/extension but is there a way to do it without first asking the server for a CSRF token? It just saves the app from making two requests every time we want to submit data. For example, I want to update my profile on my social media app or update a wallet from a chrome extension. It would be nice to open up the profile view input the data and push it to the server. It's less sleek if I have to open the profile, then wait for it to grab a token from the server and then I can submit the data. Is there another way to do this? Or am I stuck making multiple requests every time I want to submit data?

Also, a little clarification, CSRF prevents sites from submitting forms with user's data. But what is to stop me from making a site that uses ajax or something to grab the real site and steal the CSRF token and then paste that into my cross site request form? I feel like there is a loophole here. I know that I am not quite understanding this all the way.

Chase Roberts
  • 9,082
  • 13
  • 73
  • 131

1 Answers1

5

You can, and should, make any API endpoint CSRF exempt.

Django offers the csrf_exempt decorator for exactly this, see https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.csrf_exempt.

Also CSRF is intended to prevent unintended actions being performed via GET request forgeries. It is not intended to make it impossible for an automated system to submit forms, there are captchas for that.

As for what prevents you from using AJAX to grab the whole site and extract the token is something called the Same-Origin Policy. This is implemented by the browser and prevents any AJAX call from returning data when the target of the AJAX call is a different domain without the correct headers set. (I'm not entirely sure what sandboxing is applied to chrome extensions concerning this). As such it will, or at least should, fail to get data via AJAX for normal websites, e.g. a profile page. If you want to interact with third party websites you should look into whether or not they offer an API.

EWit
  • 1,954
  • 13
  • 22
  • 19
  • So making it csrf_exempt just makes it so that a csrf token isn't required? If I am using it for the backend to an app and not serving actual pages then I might as well disable the middleware right? I've done a lot of reading about csrf today (I thought I understood it before, but apparently not). Is it fair to say CSRF is to prevent people from making a fake site which tries to get a hold of your user session? – Chase Roberts Feb 08 '14 at 22:12
  • 2
    CSRF may be used for session fixation attacks. But it also allows for other attacks. If you're only creating and API you can indeed remove the CSRF middleware. Instead all request should be authenticated by some means. E.g. token or credentials. – EWit Feb 08 '14 at 22:48