[Catalyst] Picking template type based on input

Tomas Doran bobtfish at bobtfish.net
Sun Mar 28 22:13:08 GMT 2010 

On 28 Mar 2010, at 15:12, Jon mailinglists wrote:
> I then login to my application in one tab, and in another tab access
> this js/html. That will give back the data about me since I've got a
> valid session which gets sent to my catalyst server. That means
> evilempire.com has access to my logged in users data, and that's what
> I want to protect them from. XSS from another site.

Is that not XSRF, rather than XSS?

> That's why I was talking auth tokens or some other means of  
> protection.

A guess so, given that auth tokens are an XSRF protection really :)

> I suppose more people have thought of that, and this isn't really
> Catalyst specific but very general. What I wonder though is if there's
> any built in mechanism to protect from that since if I haven't got it
> all wrong are cookie based sessions pretty much useless as security.

There are a number of pre-baked solutions to this on CPAN / in various  
form systems.

That said, there is no generic thing you can plug into an arbitrary  
Catalyst application which will try to protect you.

It would be possible to parse the HTML your app output, add an extra  
hidden field to any forms you had generated in the page, and then look  
for a previously generated token and redirect / refuse the request if  
it wasn't present.

However this would obviously not catch forms generated purely from  
Javascript (and a number of other cases), and so I'm somewhat doubtful  
of its value in more complex applications. I can certainly remember  
the stuff which tries to achieve this that is baked into Rails making  
me scream :)

That said - the wiki could very much benefit from a few pages which  
clearly explained the issue(s) surrounding XSS and XSRF in more  
detail, along with a rundown of what various form systems provide to  
mitigate these issues (and any other more generic modules available).

Would you be prepared to write (even some) of this - given you seem to  
already be doing the research?

> Was this easier to follow?

Yes. I thought that's what you meant the first time round, but I  
wasn't sure, and so I decided to wait for clarification (as other  
people had already replied when I saw your first mail).

Cheers
t0m

More information about the Catalyst mailing list