view release on metacpan or  search on metacpan

lib/App/HTTP_Proxy_IMP/IMP/CSRFprotect.pm  view on Meta::CPAN

    }

    # remove cookies, because there is no cross-domain trust
    # we should remove authorization header too, but then access to the
    # protected site will probably not be available at all (see BUGS section)
    my @del;
    push @del,$1 while ( $hdr =~s{^(Cookie|Cookie2):[ \t]*(.*(?:\n[ \t].*)*)\n}{}im );
    if (@del) {
	$self->run_callback([ 
	    IMP_LOG,0,0,0,IMP_LOG_INFO,
	    "removed cross-origin session credentials (@del) for request @origin -> @target" 
	]);
	# return changed header
	return $hdr; 
    }

    # nothing changed
    return undef;
}

# find out if response header contains delegation through a redirect

lib/App/HTTP_Proxy_IMP/IMP/CSRFprotect.pm  view on Meta::CPAN

1;
__END__

=head1 NAME

App::HTTP_Proxy_IMP::IMP::CSRFprotect - IMP plugin against CSRF attacks

=head1 DESCRIPTION

This plugin attempts to block malicious cross-site requests (CSRF), by removing
session credentials (Cookie, Cookie2 and Authorization header) from the request,
if the origin of the request is not known or not trusted.
The origin is determined by checking the Origin or the Referer HTTP-header of
the request.

An origin O is considered trusted to issue a cross-site request to target T, if

=over 4

=item *