Important Notice - Forums is archived

To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Product icon

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.

CSRF and file upload

Ofer Shany
5 years ago Nov 01, 2016 3:46pm
Leif Åstrand
5 years ago Nov 03, 2016 12:17pm

For uploads, a CSRF token is part of the URL to which the file is being sent (i.e. part of the "action" part of the upload form). The end result is exactly the same as with regular requests sent by the framework: an attacker cannot know everything needed for making the user's browser send something that would look like a legitimate request without either reading messages sent from the server to that user (i.e. man-in-the-middle) or running JavaScript in the context of the user's application (i.e. XSS).

The token is not the same one that is used for regular communication, but it is instead generated seprately for each Upload component and stored as part of the user's session. This actually means that the protection is slightly stronger for upload requests.

Ofer Shany
5 years ago Nov 03, 2016 12:42pm