monit-general
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CSRF does not work in iframe.

From: Bhuvan Gupta
Subject: Re: CSRF does not work in iframe.
Date: Thu, 14 Sep 2017 09:43:34 +0530
Any help will be nice

On Thu, Sep 7, 2017 at 12:37 PM, Bhuvan Gupta <address@hidden> wrote:
Hello all,

 I create a allMonit.html which have two iframe with src of two different monit http interface running on two different system

allMonit.html structure
    <iframe src = "" href="http://firstserver:2812" target="_blank">http://firstserver:2812"></iframe>
    <iframe src = "" href="http://seconderver:2812" target="_blank">http://seconderver:2812"></iframe>

Now when i open allMonit.html in chrome , i see two monit interfaces. GREAT

Now if i try to let say "start a service" on one firstserver. I get invalid CSRF.

Upon investigation i found that without iframe the http request contains a cookiee header like 
Cookie:
securitytoken=6265d84a17c2715c7252c84d88a479cf
Where as http request from iframe does not include cookie header.

Upon further study, i found that since monit http response does not contain following header
Access-Control-Allow-Credentials: true
and hence browser will not transmit the cookie back to server.

Now the question arises:

QUESTION: How to configure monit to add addition http header

Thanks
Bhuvan





reply via email to
[Prev in Thread] Current Thread [Next in Thread]