Skip to content

CsrfCounterMeasure: skip Sec-Fetch-Site check for safe HTTP methods#391

Merged
lippserd merged 1 commit into
mainfrom
csrf-allow-safe-request-methods
Jul 1, 2026
Merged

CsrfCounterMeasure: skip Sec-Fetch-Site check for safe HTTP methods#391
lippserd merged 1 commit into
mainfrom
csrf-allow-safe-request-methods

Conversation

@TheSyscall

Copy link
Copy Markdown
Contributor

RFC 9110 defines GET, HEAD, OPTIONS, and TRACE as safe methods: they must not cause side effects, so they cannot be exploited for CSRF. Previously, requestIsSafe() checked the Sec-Fetch-Site header unconditionally, which caused it to return false (and throw "Rejecting cross-site request") when a cross-origin GET navigation reached a form. This broke legitimate flows where an external service redirects the browser to a form. The redirect carries
Sec-Fetch-Site: cross-site, and the form assembly failed before the page could render.

For safe methods, requestIsSafe() now returns null, falling through to the token-based CSRF fallback. The token embedded in the rendered form still protects the subsequent POST submission.

@cla-bot cla-bot Bot added the cla/signed label Jun 29, 2026
@TheSyscall TheSyscall requested a review from Al2Klimov June 29, 2026 10:51

@Al2Klimov Al2Klimov left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙈

RFC 9110 defines GET, HEAD, OPTIONS, and TRACE as safe methods: they
must not cause side effects, so they cannot be exploited for CSRF.
Previously, `requestIsSafe()` checked the Sec-Fetch-Site header
unconditionally, which caused it to return false (and throw "Rejecting
cross-site request") when a cross-origin GET navigation reached a form.
This broke legitimate flows where an external service redirects the
browser back to a form. The redirect carries
`Sec-Fetch-Site: cross-site`, and the form assembly failed before the
page could render.

For safe methods, `requestIsSafe()` now returns null, falling through to
the token-based CSRF fallback. The token embedded in the rendered form
still protects the subsequent POST submission: modern browsers send
`Sec-Fetch-Site: same-origin` on that POST, and legacy browsers validate
the token.
@TheSyscall TheSyscall force-pushed the csrf-allow-safe-request-methods branch from e69a60b to 6cabeab Compare July 1, 2026 06:36
@lippserd lippserd added this to the 0.14.0 milestone Jul 1, 2026
@lippserd lippserd merged commit de66e33 into main Jul 1, 2026
14 checks passed
@lippserd lippserd deleted the csrf-allow-safe-request-methods branch July 1, 2026 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants