Page MenuHomePhabricator

The API should not require CSRF tokens for an OAuth request
Open, LowestPublic


OAuth uses the Authentication header, not cookies, so it's not vulnerable to CSRF attacks. Requiring extra token lookup requests from apps using OAuth is unnecessary extra complexity.

Event Timeline

Tgr created this task.Feb 8 2016, 7:19 PM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added subscribers: Tgr, csteipp, Anomie.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 8 2016, 7:19 PM
Krenair added a subscriber: Krenair.Feb 8 2016, 7:24 PM
Anomie added a comment.Feb 8 2016, 9:24 PM

I'm inclined to decline this: requiring the CSRF tokens doesn't hurt anything besides an extra round-trip once to fetch the token and a few bytes to send it, and it's likely to be much more complex[1] to sometimes require them and sometimes not than it is to just always require them.

I also note that clients that support both OAuth and non-OAuth authentication (e.g. anything that wants to support non-WMF wikis too) will have to already have to have the code for handling the tokens, so it's not even likely to save them anything.

[1]: Specifically, much more complex in the code that actually checks that the token is valid. And unnecessary complexity in security code is generally considered bad.

Tgr triaged this task as Lowest priority.Mar 7 2017, 3:52 AM

@EvanProdromou ran into this one again today. :)