Implement CSRF Prevention

Description

Overview

This is a follow-up to the investigation done for MODLOGSAML-59 / MODLOGSAML-58 and covers implementation of the design outlined on the wiki

Acceptance Criteria

CORS handling is done by the module
* tenant-specific origin whitelist
* Access-Control-Allow-Origin is set to the origin, not *
* Access-Control-Allow-Credentials is set to true for /saml/login
CSRF prevention is implemented via RelayState and a associated cookie

Environment

None

Potential Workaround

None

Linked issues

Checklist

hide

TestRail: Results

Activity

Show:

Done

Details
Assignee
Hongwei Ji
Reporter
Craig McNally
Labels
R2platform-backlogsecuritysecurity-reviewed
Priority
P2
Story Points
5
Sprint
None
Development Team
Core: Platform
Parent
DEBT-27 Overall Epic to collect efforts coming from the Security Audit in February 2019.
Fix versions
2.2.0
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created May 21, 2020 at 1:40 PM

Updated July 8, 2021 at 4:10 PM

Resolved May 24, 2021 at 12:01 PM

Configure

TestRail: Cases

TestRail: Runs

Implement CSRF Prevention

Description

Overview

Acceptance Criteria

Environment

Potential Workaround

Linked issues

blocks

is blocked by

relates to

Checklist

TestRail: Results

Activity

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Parent

Fix versions

TestRail: Cases

TestRail: Runs

Flag notifications

Something's gone wrong