Fork me on GitHub
#ring
<
2020-02-07
>
Endre Bakken Stovner22:02:12

Web noob here: is there any point at all with a CSRF-token for a same machine app? (Using clj for computation, cljs for visualization in browser). I am 99.999% sure there is not

aisamu22:02:28

I'll add an extra 9 to your confidence value

😂 4
👍 4
jumar08:02:56

What does the same machine app mean? Do you have any post handlers in your app?

Endre Bakken Stovner19:02:42

Yes, there are post handlers which the user uses to send data to the running application 🙂 Same-machine app: meant to be used on the same machine, not serve web pages to clients (dunno if this is the terminology)

jumar19:02:25

Who’s gonna consume the cljs app then? Is it only going to run locally and never ever served over a network? In that case I’d say you’re pretty safe :)

weavejester18:02:48

CSRF covers the confused deputy attack, which relies on an attacker tricking a user into making a request on their behalf.

weavejester18:02:47

It’s a problem if an attacker knows about your system and where it is, and can get you to visit a website under their control.