You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A request like the following would be blocked if made from a different origin:
// fetch API or <form action="https://test.example.com/" method="POST">fetch('https://test.example.com/',{method: 'POST',credentials: 'include',body: 'a=b',headers: {'Content-Type': 'application/x-www-form-urlencoded'},});// => Cross-site POST form submissions are forbidden
However, a vulnerability exists that can bypass this security.
Pattern 1: Requests with a semicolon after the Content-Type
A semicolon-delimited parameter is allowed after the type in Content-Type.
Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.
The Content-Type header is not required for a request. The following examples are sent without a Content-Type header, resulting in CSRF.
// Pattern 2.1 Request without bodyfetch('http://test.example.com',{method: 'POST',credentials: 'include'});// Pattern 2.2 Blob object without typefetch('https://test.example.com',{method: 'POST',credentials: 'include',body: newBlob(['a=b'],{}),});
Impact
Bypass CSRF protection implemented with CSRF middleware.
Note
Even with credentials: 'include', browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.
Summary
A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.
Details
When the
security.checkOrigin
configuration option is set totrue
, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)For example, with the following Astro configuration:
A request like the following would be blocked if made from a different origin:
However, a vulnerability exists that can bypass this security.
Pattern 1: Requests with a semicolon after the
Content-Type
A semicolon-delimited parameter is allowed after the type in
Content-Type
.Web browsers will treat a
Content-Type
such asapplication/x-www-form-urlencoded; abc
as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.Pattern 2: Request without
Content-Type
headerThe
Content-Type
header is not required for a request. The following examples are sent without aContent-Type
header, resulting in CSRF.Impact
Bypass CSRF protection implemented with CSRF middleware.
Note
Even with
credentials: 'include'
, browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.References