CSRF issues with serving global JS files

126 views
Skip to first unread message

joe hobson

unread,
Sep 27, 2017, 4:33:53 PM9/27/17
to Canvas LMS Users
I run an open source (self-hosted) Canvas system deployed on two front-end servers through a load balancer. I'd like to use global js and css files (styling, Google Analytics tracking, etc). After I add a global JS file in the theme editor, I get a 422 error in my browser console when loading a page (for /accounts/1/files/12345/download?verifier=xxxxxx). The canvas log shows this error:

ActionController::InvalidCrossOriginRequest (Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.): 
/var/canvas/vendor/bundle/ruby/2.4.0/gems/actionpack-5.0.2/lib/action_controller/metal/request_forgery_protection.rb:239:in `verify_same_origin_request'

Anything special I need to do in Canvas or my nginx or load balancer configs to make it all happy? I'd like to avoid disabling forgery protection. I am not using a files_domain or S3 file hosting.
 
Thanks! ... .joe

(forgive me for the cross-post, but no one on Canvas Developers community group responded to my thread)

Graham Ballantyne

unread,
Sep 27, 2017, 6:40:55 PM9/27/17
to canvas-l...@googlegroups.com
Hi Joe,

It's a known issue, but unfortunately hasn't gotten a lot of attention inside Instructure as they don't use local file storage and thus don't run into the problem. We worked around it exempting the `files#show_relative` method from `protect_from_forgery`. It's a brute-force fix, but it does work (we've been running with it in production for nearly a year now).


Graham.
--

---
You received this message because you are subscribed to the Google Groups "Canvas LMS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-use...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Graham Ballantyne
IT Services
Simon Fraser University

joe hobson

unread,
Sep 29, 2017, 6:40:07 PM9/29/17
to Canvas LMS Users
Thank you, Graham. Extremely helpful, as always. have a great weekend. ... .joe
Reply all
Reply to author
Forward
0 new messages