Comments (3)
It is working - there's no Set-Cookie
header. It's just that your cookie
path is likely (the default of) "/", which means that your browser sends
the cookie on any response. You can either:
a) Set a more precise path for your cookies
b) Use a different domain for your static assets
On Tue Dec 30 2014 at 04:36:46 ChristianEspinoza [email protected]
wrote:
I'm using some like that
handler := nosurf.New(cleanHandler)
handler.ExemptRegexps("/css(.)", "/js(.)", "/images(.*)")Exempting my assets, but seems don't work:
Request URL:http://192.168.237.131/js/bootstrap.min.js
Request Method:GET
Status Code:200 OK
Request Headersview source
Accept:/
Accept-Encoding:gzip,deflate,sdch
Accept-Language:es,en;q=0.8,en-CA;q=0.6
Connection:keep-alive
Cookie:csrf_token=WK6UlEqLP3ioDLsUhuQTc1ZZ08DujAS5Gbxv0G2Riow=;
_ga=GA1.1.1561828371.1415760157;
session=MTQxOTg4Mzk2N3xfVmc3amc5OFh4RW04VUVjekhxLS16SEIwcEpyY0RUZW9EU3lodHdPSk4zUzdnTUpfYlFpR3l0dmM0a182Y0NTNVRMWE5TQ25fNWZhdzAwOHR5MjROYm5vNGoxdDRPNlA1V0FFdU5sZmQ5cm1HWVZidHk4bUg3aDBzVDBwQUhXSFNQb1JlRjdGTndCbms2UTJCN0liM0ZMR0dyRjMyYUlKSWxUVjU3NlhZVWUzaDNsMlZGczJrcnlsd0V5ZVM5SG9pc3RRVjdINk9RRy1PY245aGlkZTdRSnJncWJZelBLT196cHIwSUM0OVVUQThsNXB6NHVOS2g0PXzY2_Q54s1zOKcqBe5NimAmarqUBGrgq6LsWp1kQ28QZg==;
flash=MTQxOTg4Mzk3NXxEdi1EQkFFQ180UUFBUkFCRUFBQUJQLUVBQUE9fKrNyW2LmqkQYwTkI9cMXz3dRF2VVQQx2C0LNCx5_UNC
Host:192.168.237.131
Referer:http://192.168.237.131/login
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/31.0.1650.63 Safari/537.36
Response Headersview source
Accept-Ranges:bytes
Cache-Control:public, max-age=300
Content-Encoding:gzip
Content-Type:application/x-javascript
Date:Mon, 29 Dec 2014 20:30:43 GMT
Last-Modified:Thu, 29 Aug 2013 13:52:00 GMT
Transfer-Encoding:chunked
Vary:Cookie
Vary:Accept-Encoding—
Reply to this email directly or view it on GitHub
#23.
from nosurf.
oops, Ok, thanks Matt.
from nosurf.
To clear it up: Set-Cookie
will still get sent even on exempted routes, but only when the existing token in Cookie
is missing or invalid: ServeHTTP()
returns early only after checking the presence of the cookie.
To test whether the routes were successfully exempted, issue a POST /js/
. It should not prevent the request from happening, even though the form data contains no token.
Though I think you forgot asterisks for css
and js
routes: a period will only match one symbol.
from nosurf.
Related Issues (20)
- Filtering out safe methods and excluded paths HOT 2
- Token value error HOT 6
- Send a response body in defaultFailureHandler HOT 2
- please consider updating tags or deleting the current tag HOT 3
- example is insecure HOT 4
- Remove Referer check HOT 1
- Possible flaw HOT 2
- SetBaseCookie not having effect HOT 8
- Wiki page for newbies doubts and problems
- Doubts about many cookies and many Path for a single domain. HOT 13
- Prevent form resubmit HOT 1
- Logging HOT 1
- Combining Session and CSRF cookie HOT 3
- Is this normal behavior? HOT 5
- RegenerateToken generates two CSRF cookies when no previous CSRF cookie was set
- How does nosurf OTP protect against BREACH? HOT 5
- Inappropriate key in call to `context.WithValue`
- Ability to handle multiple cookies in context HOT 5
- Installing command of `nosurf` is missing in README.md
- CSRF failed with bad request HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nosurf.