Dr. Helga

Dilettanten, olé!

ExtJS: Preventing CSFR Attacks When Using Ext.Direct

When using Ext.Direct there is no out-of-the-box solution to send a token within the rpc call to prevent CSFR attacks, which in fact is a big security problem. To make Ext.Direct send a token, you have to override the getCallData method within the RemotingProvider:

Override Ext.direct.RemotingProvider
1
2
3
4
5
6
7
8
9
10
11
12
Ext.override(Ext.direct.RemotingProvider, {
  getCallData: function(transaction){
      return {
          action: transaction.action,
          method: transaction.method,
          data: transaction.data,
          type: 'rpc',
          tid: transaction.id,
          token: MyNamespace.PostToken
      };
  }
});

Comments