Add cross-references between CSRF and CORS filter

[sithmein]

Description

The current CSRF filter is stateful in that it requires the client to send back some server-generated value. However, there are other, stateless, ways to prevent CSRF such as the one mentioned in an OWASP Cheat Sheet about CSRF.
Therefore the quarkus-rest-csrf extension should also offer a stateless request filter.

I have the corresponding filter already available. However, I would need some pointers/discussion about how exactly it should be added to the extension. For example, how do you can (de)activate an ContainerRequestFilter via configuration such that it gets completely excluded if disabled.

Implementation ideas

Follow the approach outlined in https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#using-standard-headers-to-verify-origin

[quarkus-bot]

/cc @FroMage (rest)

[FroMage]

We already have a filter at https://github.com/quarkusio/quarkus/blob/main/extensions/resteasy-reactive/rest-csrf/runtime/src/main/java/io/quarkus/csrf/reactive/runtime/CsrfRequestResponseReactiveFilter.java#L64 which can be deactivated. So you just need to add the header behaviour there, based on config from https://github.com/quarkusio/quarkus/blob/main/extensions/resteasy-reactive/rest-csrf/runtime/src/main/java/io/quarkus/csrf/reactive/runtime/RestCsrfConfig.java

[FroMage]

/cc @sberyozkin

[sberyozkin]

It still requires a cookie presence though, so I believe the @sithmein's idea is do Origin checks against the local target, without expecting the server to produce a cookie.

May be it should be rest-csrf-origin to have a dedicated solution focusing on Origin checks only.

However, I have a question, @sithmein, why do you think the CORS filter can not be applied to support these checks ?

Thanks

[sithmein]

However, I have a question, @sithmein, why do you think the CORS filter can not be applied to support these checks ?

That's a very good question. I didn't know this extension also actively denies requests and not just sets response headers. A quick internet search seems to suggest a properly configured CORS filter can prevent CSRF attacks as well.

There would be a small difference, though. The CSRF filter can work without any configuration if there is only one origin, i.e. Host and Origin are the same. With the CORS filter you have to explicit configure all allowed origins as far as I understand and also list the allowed methods.

[sberyozkin]

A quick internet search seems to suggest a properly configured CORS filter can prevent CSRF attacks as well.

Sure, we definitely applied CORS to prevent CSRF once.

There would be a small difference, though. The CSRF filter can work without any configuration if there is only one origin, i.e. Host and Origin are the same. With the CORS filter you have to explicit configure all allowed origins as far as I understand and also list the allowed methods.

If CORS filter origin is not configured, same host origin policy is supported OOB, methods, headers, are optional.
Essentialy, I believe you provide a custom CORS filter implementation, though I might be wrong.

I don't mind having something more CSRF centric built around processing Origins though if it is clearly distinct to what the CORS filter does.

Please experiment with the Quarkus CORS filter, perhaps we can enhance it further ?

Let us know what you think please

[sithmein]

After some more in-depth research I believe that the existing CORS is basically the same as the CSRF filter I had in mind. Therefore from my side we can close this ticket.
However, I suggest to add a sentence about the implicit https://quarkus.io/guides/security-csrf-prevention CSRF protection to https://quarkus.io/guides/security-cors and a link to the latter on https://quarkus.io/guides/security-csrf-prevention.