1

I'm building a flash game that uses Django as a backend.

I currently have an api endpoint set up using django-tastypie, which the flash app can call to receive JSON data for populating the application.

I understand using simple django views, and templating system, one is able to simply include a csrf_token in a webpage with the aid of the middleware.

My problem now is trying to post data back to the server without using csrf_exempt, and the flash application ideally, can be run without inserting params tags. Hopefully, a standalone swf file that'll work as it is.

How would one get a csrf_token into the flash app so it can post data back to the server without security concerns?

If the csrf_token way is not possible, are there any other ways to post data securely?

I have searched many avenues leading to similar questions, but many are unanswered. Maybe I'm missing something here as I'm engrossed in my perspective. I hope someone can enlighten me on better ways to do it.

Thanks in advance.

VKen
  • 4,964
  • 4
  • 31
  • 43

1 Answers1

0

It sounds like you may have two problems:

How do I actually send the CSRF token with my POST requests from Flash?

Django also accepts CSRF tokens via the header X-CRSFToken. See the docs here.

You can append headers to your request like so: 

var req:URLRequest=new URLRequest();
req.url="http://somesite.com";
var header:URLRequestHeader=new URLRequestHeader("X-CSRFToken","foobar");
req.requestHeaders.push(header);

URLRequests docs are here.

How do I get the CSRF token into my Flash file in the first place?!

(Option A) Because CSRF tokens are generated on a per request basis (e.g., with templating a traditional HTML form, on a GET request) the simplest thing to do is to pass the CSRF token to the Flash file via a templated parameter. Something like: <param name="csrf_token" value="{{ my_csrf_token }}" />

(Option B) It sounds like you don't want to do the parameter thing, so your final option is to build a custom Django view which has the sole functionality of delivering a CSRFToken to your Flash file. So the Flow would be your Flash file loads, your Flash makes a GET request to http://mysite.com/csrf_token/ which simply returns a valid CSRF token, and then you can use that token to do your POST. (Note you will need to do a GET request for each POST request).

Chris W.
  • 37,583
  • 36
  • 99
  • 136
  • Hi Chris, thanks for the detailed explanation. Option B sounds like a possible plan, but I'm unsure about the security implications of opening an endpoint just to get csrf token, because referral headers are spoofable. What is your perspective about this potential possible exploit, and whether it is a valid concern? – VKen Jun 18 '12 at 02:31
  • 1
    @vken, I'm no security expert so I don't think I understand the full implications of an AJAX generated CSRF. Check out [this question for some related info](http://stackoverflow.com/questions/3664044/anti-csrf-token-and-javascript). However I believe you are protected using the methodology in option B. – Chris W. Jun 18 '12 at 17:49
  • More relevant AJAX requests for CSRF: http://stackoverflow.com/questions/144696/is-exposing-a-sessions-csrf-protection-token-safe?rq=1 – Chris W. Jun 18 '12 at 17:53