How to handle CSRF protection for a Chrome Extension?

[Greg Barker]

Hello -

I'm working on a Chrome Extension that will inject some JavaScript into a third-party webpage in order to add some additional functionality.

For part of this functionality, I need to be able to do HTTP POST back to my server. I've added it as a trusted origin in my settings.py:

CORS_ORIGIN_WHITELIST = (
    'www.thirdpartysite.com',
)

CSRF_TRUSTED_ORIGINS = (
    'www.thirdpartysite.com',
)

I also added the CorsPostCsrfMiddleware as described here: https://github.com/ottoyiu/django-cors-headers#cors_replace_https_referer

However, my HTTP POST from within the Chrome Extension still fails with:

{"detail":"CSRF Failed: CSRF token missing or incorrect."}

How do I handle CSRF protection in Django Rest Framework for this scenario?

Thanks!
Greg

[Norbert Mate]

Hi Greg,

maybe the problem is how do you send the CSRF token. Have you checked out this? http://www.django-rest-framework.org/topics/ajax-csrf-cors/
I have no experience with Chrome extenstions but I assume it uses ajax. In that case you have to include the token in the http header.

Regards,

Norbert.

[Norbert Mate]

This also might be useful:
https://gist.github.com/bengolder/aa9033efc8959dc38e5d

On Tuesday, February 20, 2018 at 1:54:36 AM UTC+2, Greg Barker wrote:

[Greg Barker]

Thanks for the reply Norbert. I did see that page, where would the csrftoken cookie come from in this case though? Since I'm injecting my JavaScript onto a page hosted on a separate domain, there's no csrftoken cookie set there.

I came across this post on Stackoverflow: https://stackoverflow.com/questions/30871033/django-rest-framework-remove-csrf

Is that what I need to do here?

--
You received this message because you are subscribed to a topic in the Google Groups "Django REST framework" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-rest-framework/tHVPZzuR8QY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-rest-framework+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Norbert Máté]

Hi Greg,

so the extension inserts some javascript into the current page and if the user clicks a button it will post the page to your application. Is that correct? Do you have the csrftoken in your extension? I think Django searches for the token in multiple places: HTTP header, cookie, post. Now I don't think you can add the csrftoken in cookie. 

To make it appear in the post you would have to add the token into the form as a hidden field, something like this:
<input type="hidden" name="csrfmiddlewaretoken" value="NdZxiJLQgrKImN1iOXKzbWSehoeU7YKv8MBqGI0yn6i1AmQeOs3s1iArwLHA3lmI">

Regards,

Norbert.

To unsubscribe from this group and all its topics, send an email to django-rest-framework+unsubscri...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Greg Barker]

Thanks again for the reply Norbert. I'm not currently doing any GET request before the POST, so I'm not sure where the value of the csrftoken would come from in this case. I suppose I could add any GET request and pull the token from that? I'll give that a shot.

[Greg Barker]

An HTTP GET Ajax request doesn't seem to have a csrftoken cookie in the response, so that didn't work.

Also tried the CsrfExemptMixin from django-braces, that still gave me the "CSRF Failed: CSRF token missing or incorrect." response.

However, the CsrfExemptSessionAuthentication suggestion in this Stackoverflow post did do the trick: https://stackoverflow.com/questions/30871033/django-rest-framework-remove-csrf