Ad

Linking To 3rd Party Images Directly Opens Up Cross-Site Request Forgery (CSRF)?

- 1 answer

I'm using an embed api to get user submitted image URLs to host on my site.

In the documentation of the embed service I am using it states:

There are other security consideration as well and this one applies to regular embeds: Linking to 3rd party images directly opens up Cross-Site Request Forgery (CSRF) and other vulnerabilities, and it's advisable to host all the images (including favicons) through a your own domain. That domain can be called, for example, safe.yourdomain.com, and it should be setup as a reverse proxy with NGINX to host the images. We will provide a sample NGINX configuration for that.

After looking at another thread here I've become more confused if this is a situation that is only to be worried about if you are storing an html tag in the DB, or if it's for both storing html img tags and or the image URL.

I'm also wondering if Laravel automatically protects against this with csrf tokens, blade using {{ }} htmlentities, and if there is anything I can do upon storing image links in the DB.

note: I will be storing the images in my own file structure sometime down the road, but for right now I won't be.

Ad

Answer

As long as your Laravel app is correctly configured and you follow the recommended practice of using CSRF protection provided by Laravel, your application may be considered to be safe in that sense.

However, what the embed service provider states is that if you render data that contains resources outside your domain straight away, you are putting your users into potential risk of CSRF, against your own application or other websites.

CSRF Diagram

It would be a good practice to always validate all URLs to make sure that those are trusted resource origins, and never render those links in a way that the browser may automatically attempt to load without user acknowledgement.

Implementation techniques on how to sanitize, validate and handle untrusted data may exceed the purpose of this answer considering the broad topic and handful of possible strategies.

But for your specific question, if those links are images, you may

    1. Make sure the domain is trusted
    1. Download them in backgroud to your own hosting
    1. Validate the downloaded contents to make sure it has no malicious content
    1. Embed the resource as local to your domain (to comply with the same-origin policy).
Ad
source: stackoverflow.com
Ad