0

I need to process an enquiry form of a static website built using Jekyll.

The enquiry form submits a JSONP request (GET) to a PHP app on another domain that processes the request.

Is it possible to prevent CSRF as the form will be static?

I noticed the PHP Slim Framework's CSRF middleware only protects from POST, PUT & DELETE methods, not GET.

If I have a script in the static site build the form on each page load with data requested from the server (cookie value, csrf token as well as field values etc) could that work?

Thanks for your time

Improve this question
4
  • 1
    What are you trying to protect against... if the user is not authenticated in any way, there is no benefit from providing CSRF protection. Is that the case? Commented Oct 22, 2013 at 9:02
  • That is right, the user is not authenticated. Commented Oct 22, 2013 at 10:22
  • 1
    No need to protect against CSRF then since the form does not gain anything from being submitted in the context of the current user - if an attacker wanted to submit the form on your website there would be no need to go "cross site"... they would simply submit it. It sounds like you're after a CAPTCHA to prevent robots submitting the form (if that is what you're really after?). Commented Oct 22, 2013 at 10:57
  • That is right. Thanks again I wish I could check your comment as the right answer. Commented Oct 22, 2013 at 21:40

2 Answers 2

Reset to default
1

No need to protect against CSRF then since the form does not gain anything from being submitted in the context of the current user - if an attacker wanted to submit the form on your website there would be no need to go "cross site"... they would simply submit it.

It sounds like you're after a CAPTCHA to prevent robots submitting the form (if that is what you're really after?).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

No.

Defences against CSRF depend on the page from which the request is sent and the server to which it is sent agreeing a unique identifier for the user.

Since the form is static, you can't place that unique identifier in the form.

If I have a script in the static site build the form on each page load with data requested from the server (cookie value, csrf token as well as field values etc) could that work?

Only if it is a server side script (so the form wouldn't be static), otherwise any site could include it to get the token.

I noticed the PHP Slim Framework's CSRF middleware only protects from POST, PUT & DELETE methods, not GET.

This is because GET requests shouldn't be doing anything in the first place, so (unless you are abusing them) there is no need to apply CSRF protection to them.

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.

Improve this answer

4 Comments

Thanks for that. I'm thinking now CORS might be preferable as it supports more than just GET requests unlike JSONP
CSRF would still be an issue, even with CORS. The attack only has to make a request, it doesn't need to expose the response to JS.
Cool. I'm thinking a javascript compiled form with a csrf token supplied by server via a simple get jsonp request as it's just retrieval. the form submit will make a CORS POST request to the php app to verify request and take necessary actions ie send email with form values etc
If the token is in the JavaScript, then any site can include the .js file and get the token, which would render it useless.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.