2

I use ASP.NET MVC's AntiForgeryToken and ValidateForgeryToken for anti-CSRF for POSTs (AJAX POSTs and form POSTs).

Does WebSharper have something that does the same job?

(I can't consider using a web framework that doesn't have this, so knowing up-front whether the ability exists or not dictates whether I can look into WebSharper further.)

Bellarmine Head
  • 3,397
  • 2
  • 22
  • 31

1 Answers1

1

It didn't, but CSRF support was recently added for RPC. The current release (3.3) is the first release with support for it, so as long as you're up to date, it's supported.

I've linked to the commit below in case you want to see the internals, but it's your standard CSRF token.

https://github.com/intellifactory/websharper/commit/409dcaae9bb26de19815e633776fe9196d0e2263

Alex Hardwicke
  • 529
  • 6
  • 16
  • Does WebSharper's RPC mechanism relate to form POSTs and/or AJAX POSTs? – Bellarmine Head Jul 23 '15 at 08:04
  • It does, yes. Forgive the quick response, I'm about to go on holiday. Quick detail: When you call server-side code from client-side in WebSharper, you "call" a server-side function rather than POSTing to a URL (WebSharper compiles this to POST or AJAX POST of course). To be able to do this you must expose the function so it can be called remotely - and that's what the [] attribute does. The only ways to call WebSharper functions I can think of is either to visit a page or similar (a GET, with no data), or to call an RPC function (POST, has CSRF). – Alex Hardwicke Jul 23 '15 at 12:38
  • Ran out of text. A quick Google revealed http://wssnippets.apphb.com/snippet/15/rpc-mechanism which looks like a fairly good example of how this works. Before entering the md5 function (with the RPC attribute), WebSharper will now check for a CSRF token and won't call the function if it's missing or invalid (it'll return an error status code). If you have any more questions, feel free to ask - I'll answer in a few days if I can, otherwise I'm sure someone else will. The new CSRF implementation is definitely all you need in my opinion, though (that's why only RPC got CSRF). – Alex Hardwicke Jul 23 '15 at 12:41