Hi Leigh,

There is no build-in way to do this.  For Direct Actions you have to do it on 
your own.  Component Actions are already somewhat safe due to the obscure 
nature of the element ID on the URL.  But if someone knows WO and is familiar 
with the structure of your site there is still a window for CSRF attacks.  I 
don’t think you can do anything automatic without having access to the WO 
source code, but the ERXForm etc. subclasses that Wonder installs might let you 
create an automated way of doing this.

Chuck


From: Webobjects-dev 
<webobjects-dev-bounces+chill=gevityinc....@lists.apple.com> on behalf of Leigh 
Kivenko <lei...@portfolioaid.com>
Date: Friday, December 15, 2017 at 11:56 AM
To: WebObjects-Dev <webobjects-dev@lists.apple.com>
Subject: Cross-Site Request Forgery

Hello,
Just wondering if anyone has ever had to harden their WebObjects applications 
against CSRF:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Is there a way to have WebObjects do this automatically or do we need to 
implement this on our own?

Thanks,

Leigh Kivenko | VP, Technology
PortfolioAid
t. 416-479-0523 | e. lei...@portfolioaid.com<mailto:lei...@portfolioaid.com>

This e-mail may be privileged and confidential. If you received this e-mail in 
error, please do not use, copy or distribute it, but advise me immediately (by 
return e-mail or otherwise), and delete the e-mail.

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Reply via email to