Login

Bypass CSRF check for Facebook canvas apps using POST for canvas

Author:
mjallday
Posted:
November 23, 2010
Language:
Python
Version:
Not specified
Tags:
django python post facebook csrf fb
Score:
1 (after 1 ratings)

This assumes that you have a method called decode_signed_request which will validate the signed_request parameter and return None if the validation check fails.

A similar method can be found here - https://github.com/iplatform/pyFaceGraph/blob/70e456c79f1ac1c7eddece03af323346a00481ef/src/facegraph/canvas.py

1
2
3
4
5
6
7
8
class IgnoreFbCsrfMiddleware(object):
    def process_request(self, request):
        
        signed_request = request.REQUEST.get('signed_request', None)
        
        signed_request = decode_signed_request(signed_request, settings.FACEBOOK_APP_SECRET)
        
        request.csrf_processing_done = signed_request != None

More like this

Comments

pyrou2 (on December 17, 2010):
<p>adding</p> <pre>request.META["CSRF_COOKIE"] = _get_new_csrf_key() </pre> <p>will allow you to use {% crsf_token %} in further requests</p> <pre>class FacebookCsrfMiddleware(object): """ Facebook CSRF protection """ def process_request(self, request): signed_request = request.REQUEST.get('signed_request', None) signed_request = parse_signed_request(signed_request, settings.FACEBOOK_SECRET_KEY) if signed_request != None: from django.middleware.csrf import _get_new_csrf_key request.META["CSRF_COOKIE"] = _get_new_csrf_key() request.csrf_processing_done = True </pre>

#

subhranath (on March 22, 2011):
<p>why not put a simple 'csrf_exempt' decorator on the view that where the 'signed_request' is encountered. Solves the need for the 'request.META["CSRF_COOKIE"] = _get_new_csrf_key()' anyway.</p> <p>P.S. I'm assuming that we wont use this view for making any other sort of POST.</p>

#

subhranath (on March 22, 2011):
<p>And the rest of the views won't even have to go through the extra layer of the middleware stack. And even more, there won't even be a chance of POST parameter name clash of 'signed_request' intended for some other view, the use of which is very much probable in such this case.</p>

#

Please login first before commenting.