On Feb 8, 2021, at 18:38, zsol...@gmail.com <zsolt....@gmail.com> wrote: > > There are a few things which are confusing me here: > 1. I can remove get_cookie and get_csrf_token and just hard-code > 'dummy_csrf_token' into login / post(), and it still works. Am I missing > something here?
The CookieCSRFStoragePolicy does not attempt to verify the cookie's value, it just needs the value in the submitted form request (header or body) to match the value in the cookie. > 2. I don't get all the CSRF behaviour here. Isn't it generated on the server > side and webtest is client side only? How can it make Pyramid accept a > "dummy_csrf_token" as a CSRF token? Is there some magic in > CookieCSRFStoragePolicy or WebTest? The assumption is that no one but your domain can set cookies on your domain, so it doesn't need to be overly protected from tampering - it just needs to be a value that malicious code running on another domain can't access or set. > 3. Do I understand right that using CookieCSRFStoragePolicy is required for > webtest CSRF to work? No it's not required, but it is a really simple approach. There's plenty of alternatives to grab the CSRF token in your code so that you can re-submit it in subsequent requests but they aren't as easy. The trick to any CSRF request is that it's trying to enforce a GET followed by a POST, to avoid people triggering a cross-site POST from their own domain with malicious content. So if you do a GET first, you can parse the token out of the returned form, or webtest also has APIs that can be used to submit the form without any parsing, assuming your app supports a submitted web form submitted in x-www-form-urlencoded format. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/D4ABEBDF-68FB-41AF-AC9D-33CDCAE66AAA%40gmail.com.
