csrf vs testing

Skip to first unread message


Nov 3, 2020, 9:55:14 AM11/3/20
to Mojolicious
This might be an obvious question, but I haven't found a good answer

I'm rewriting our old webapplications into Mojolicious. Goes just fine.

Might as well add csrf protection (exactly when is csrf tokens recommended?)

But then how do we test with csrf protection (via $v = $v->csrf_protect; from Mojolicious::Validator::Validation) enabled?

So if for example I'm testing my editing mode and is using (data is 'good' data that validates if there is no csrf protection)

$t -> post_ok( $url, form => $data )

What exactly are we suppose to add to our tests such that we can test with csrf_protect?


Sebastian Riedel

Nov 3, 2020, 12:09:56 PM11/3/20
to Mojolicious
These CSRF protection features are mostly legacy features these days for backwards compatibility. Now we have SameSite cookies, to which modern browsers default.


Lars Madsen

Nov 5, 2020, 3:09:03 AM11/5/20
to mojol...@googlegroups.com
ahh, nice, thanks

You received this message because you are subscribed to a topic in the Google Groups "Mojolicious" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mojolicious/Cngym3QNeQs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mojolicious...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mojolicious/6cce769b-2b91-4532-aa01-cf5cc58a0d5bn%40googlegroups.com.


Nov 5, 2020, 5:38:02 PM11/5/20
to mojol...@googlegroups.com

I think that most browsers default to SameSite=Lax (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite), so you could still do a CSRF attack via a GET request / top-level navigation, although that’s only if you’ve coded your application to *do* things in a GET request.  


If you explicitly use SameSite=Strict, then I suppose that CSRF protections could probably matter less. I hadn’t actually thought about that until now. I wonder about CSRF attacks that don’t require cookies. It’s been a few months since I’ve chatted with security experts, but I think I was advised to ensure CSRF protection as well as secure strict cookies.


David Cook

Software Engineer

Prosentient Systems

72/330 Wattle St

Ultimo, NSW 2007



Office: 02 9212 0899

Online: 02 8005 0595

You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious...@googlegroups.com.

Reply all
Reply to author
0 new messages