Linking To 3rd Party Images Directly Opens Up Cross-Site Request Forgery (CSRF)?
I'm using an embed api to get user submitted image URLs to host on my site.
In the documentation of the embed service I am using it states:
There are other security consideration as well and this one applies to regular embeds: Linking to 3rd party images directly opens up Cross-Site Request Forgery (CSRF) and other vulnerabilities, and it's advisable to host all the images (including favicons) through a your own domain. That domain can be called, for example, safe.yourdomain.com, and it should be setup as a reverse proxy with NGINX to host the images. We will provide a sample NGINX configuration for that.
I'm also wondering if Laravel automatically protects against this with csrf tokens, blade using {{ }} htmlentities, and if there is anything I can do upon storing image links in the DB.
note: I will be storing the images in my own file structure sometime down the road, but for right now I won't be.
Answer
As long as your Laravel app is correctly configured and you follow the recommended practice of using CSRF protection provided by Laravel, your application may be considered to be safe in that sense.
However, what the embed service provider states is that if you render data that contains resources outside your domain straight away, you are putting your users into potential risk of CSRF, against your own application or other websites.
It would be a good practice to always validate all URLs to make sure that those are trusted resource origins, and never render those links in a way that the browser may automatically attempt to load without user acknowledgement.
Implementation techniques on how to sanitize, validate and handle untrusted data may exceed the purpose of this answer considering the broad topic and handful of possible strategies.
But for your specific question, if those links are images, you may
- Make sure the domain is trusted
- Download them in backgroud to your own hosting
- Validate the downloaded contents to make sure it has no malicious content
- Embed the resource as local to your domain (to comply with the same-origin policy).
Related Questions
- → "failed to open stream" error when executing "migrate:make"
- → October CMS Plugin Routes.php not registering
- → OctoberCMS Migrate Table
- → OctoberCMS Rain User plugin not working or redirecting
- → October CMS Custom Mail Layout
- → October CMS - How to correctly route
- → October CMS - Conditionally Load a Different Page
- → Make a Laravel collection into angular array (octobercms)
- → In OctoberCMS how do you find the hint path?
- → How to register middlewares in OctoberCMS plugin?
- → Validating fileupload(image Dimensions) in Backend Octobercms
- → OctoberCMS Fileupload completely destroys my backend
- → How do I call the value from another backed page form and use it on a component in OctoberCms