
<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    Look into CORS and how cross origin requests work.  If your script

    comes from the same origin as the target of the XHR, it will work

    fine.  No problem.  If the script is a different origin, the server

    will receive the request, but the script will not be able to see a

    response.  Sometimes depending on browser and XHR request, an

    OPTIONS request is sent first.<br>

    <br>

    Keycloak adapters have some support for CORS.  See docs.<br>

    <br>

    <div class="moz-cite-prefix">On 2/19/2016 6:19 PM, Baskin, Ilia

      wrote:<br>

    </div>

    <blockquote

cite="mid:CY1PR07MB2200DDEDFBE30B03413960A6C4A00@CY1PR07MB2200.namprd07.prod.outlook.com"

      type="cite">

      <meta http-equiv="Content-Type" content="text/html;

        charset=windows-1252">

      <meta name="Generator" content="Microsoft Word 14 (filtered

        medium)">

      <style><!--

/* Font Definitions */

@font-face

        {font-family:Helvetica;

        panose-1:2 11 6 4 2 2 2 2 2 4;}

@font-face

        {font-family:Helvetica;

        panose-1:2 11 6 4 2 2 2 2 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

span.EmailStyle17

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

      <div class="WordSection1">

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Scott,<o:p></o:p></span></p>

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p> </o:p></span></p>

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">I

            know that, but this is exactly how CSRF works. There are

            several simple ways to defend against CSRF and I am

            surprised that Keycloak, a security application, doesn’t

            utilize any.<o:p></o:p></span></p>

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p> </o:p></span></p>

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Thanks.<o:p></o:p></span></p>

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Ilia<o:p></o:p></span></p>

        <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p> </o:p></span></p>

        <div>

          <div style="border:none;border-top:solid #B5C4DF

            1.0pt;padding:3.0pt 0in 0in 0in">

            <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span

style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">

                Scott Rossillo [<a class="moz-txt-link-freetext" href="mailto:srossillo@smartling.com">mailto:srossillo@smartling.com</a>]

                <br>

                <b>Sent:</b> Friday, February 19, 2016 6:15 PM<br>

                <b>To:</b> Baskin, Ilia<br>

                <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>

                <b>Subject:</b> Re: [keycloak-user] Is it CSRF

                vulnerability?<o:p></o:p></span></p>

          </div>

        </div>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal">Once you’ve authenticated with Keycloak,

          your application has an session id provided by Tomcat. This is

          why your requests are succeeding. If you examine your XHR

          requests, I’d assume the session id cookie is being passed to

          the server.<o:p></o:p></p>

        <div>

          <p class="MsoNormal"><o:p> </o:p></p>

        </div>

        <div>

          <div>

            <p class="MsoNormal"><o:p> </o:p></p>

            <div>

              <div>

                <div>

                  <div>

                    <p class="MsoNormal"><span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black">Scott

                        Rossillo<o:p></o:p></span></p>

                  </div>

                  <div>

                    <p class="MsoNormal"><span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black">Smartling

                        | Senior Software Engineer<o:p></o:p></span></p>

                  </div>

                  <div>

                    <p class="MsoNormal"><span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black"><a

                          moz-do-not-send="true"

                          href="mailto:srossillo@smartling.com"><a class="moz-txt-link-abbreviated" href="mailto:srossillo@smartling.com">srossillo@smartling.com</a></a><o:p></o:p></span></p>

                  </div>

                </div>

              </div>

              <p class="MsoNormal"><o:p> </o:p></p>

              <div>

                <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

                  <div>

                    <p class="MsoNormal">On Feb 19, 2016, at 6:01 PM,

                      Baskin, Ilia &lt;<a moz-do-not-send="true"

                        href="mailto:ibaskine@microstrategy.com">ibaskine@microstrategy.com</a>&gt;

                      wrote:<o:p></o:p></p>

                  </div>

                  <p class="MsoNormal"><o:p> </o:p></p>

                  <div>

                    <div>

                      <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Hi,<o:p></o:p></span></p>

                    </div>

                    <div>

                      <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> <o:p></o:p></span></p>

                    </div>

                    <div>

                      <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">I

                          am experimenting with Keycloak to evaluate its

                          suitability for our application. Here is one

                          of my experiments, that got me warried:<o:p></o:p></span></p>

                    </div>

                    <div>

                      <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> <o:p></o:p></span></p>

                    </div>

                    <div>

                      <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">I

                          created a simple page (see attached), deployed

                          it on Tomcat and registered it in Keycloak as

                          confidential client. As you can see the page

                          contains a button clicking on which executes

                          simple XHR request. Notice that XHR request

                          doesn’t contain Authorization header. On

                          submission of my page URL I am redirected to

                          Keycloak for authentication. After

                          authentication I can submit XHR requests at

                          will.<o:p></o:p></span></p>

                    </div>

                    <div>

                      <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> <o:p></o:p></span></p>

                    </div>

                    <div>

                      <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Now

                          I copied my page and deployed the copy on the

                          same Tomcat as a different totally unsecured

                          application. If I open this page in another

                          browser tab and click on XHR button it will go

                          through without any problem. It looks to me as

                          a typical CSRF case. Am I missing something

                          here?<o:p></o:p></span></p>

                    </div>

                    <div>

                      <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> <o:p></o:p></span></p>

                    </div>

                    <div>

                      <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Thanks.<o:p></o:p></span></p>

                    </div>

                    <div>

                      <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Ilia<o:p></o:p></span></p>

                    </div>

                    <p class="MsoNormal">&lt;index.html&gt;<span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">_______________________________________________<br>

                        keycloak-user mailing list<br>

                      </span><a moz-do-not-send="true"

                        href="mailto:keycloak-user@lists.jboss.org"><span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:purple">keycloak-user@lists.jboss.org</span></a><span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><br>

                      </span><a moz-do-not-send="true"

                        href="https://lists.jboss.org/mailman/listinfo/keycloak-user"><span

style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:purple">https://lists.jboss.org/mailman/listinfo/keycloak-user</span></a><o:p></o:p></p>

                  </div>

                </blockquote>

              </div>

              <p class="MsoNormal"><o:p> </o:p></p>

            </div>

          </div>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

keycloak-user mailing list

<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>

<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>

    </blockquote>

    <br>

    <pre class="moz-signature" cols="72">-- 

Bill Burke

JBoss, a division of Red Hat

<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>

  </body>

</html>