Adding X-CSRF-Token header globally to all instances of XMLHttpRequest();

javascript ajax security xmlhttprequest csrf

31,115

Solution 1

I'd recommend to intercept calls to the send method:

(function() {
    var send = XMLHttpRequest.prototype.send,
        token = $('meta[name=csrf-token]').attr('content');
    XMLHttpRequest.prototype.send = function(data) {
        this.setRequestHeader('X-CSRF-Token', token);
        return send.apply(this, arguments);
    };
}());

This won't add the header at instantiation time, but right before the request is sent. You can intercept calls to new XMLHttpRequest() as well, but that won't be helpful as you need to wait with adding the header until open was called.

You might also want to include a test for the target URL of the request, so that you only add the header when your own api is called. Not doing so might leak the token elsewhere, or might even break cross-domain CORS calls that don't allow this header.

Solution 2

you can wrap the ajax open() method to open and then set the header right away:

(function() {
    var op = XMLHttpRequest.prototype.open;
    XMLHttpRequest.prototype.open = function() {
        var resp = op.apply(this, arguments);
        this.setRequestHeader('X-CSRF-Token', $('meta[name=csrf-token]').attr('content'));
        return resp;
    };
}());

Solution 3

If you need a Jquery independent solution you could use:

  (function() {
      var send = XMLHttpRequest.prototype.send,
          token = document.getElementsByTagName('meta')['csrf-token'].content;
      XMLHttpRequest.prototype.send = function(data) {
          this.setRequestHeader('X-CSRF-Token', token);
          return send.apply(this, arguments);
      };
  }());

31,115

Author by

Abraham P

Tech Lead at Flock in London, working with Typescript/io-ts, NodeJS, Haskell, React Native, ReasonML, Postgres, and a smattering of other things. We are hiring! jobs.flockcover.com

Updated on July 09, 2022

Comments

Abraham P almost 2 years

I am using a third party library which spawns a raw XMLHttpRequest with new XMLHttpRequest.

This bypasses my CSRF protection and gets shot down by my rails server.

Is there a way to globally add a predefined CSRF token ($('meta[name=csrf-token]').attr('content')) to ALL instances of XMLHttpRequest at instantiation time?
dandavis almost 10 years

i went with doing it after open so that it can be clobbered, but 6 of one, half a dozen of the other i suppose...
Bergi almost 10 years

@dandavis: initially I thought to intercept open as well, but I didn't just want to repeat the code from your answer. You got a +1 just as I saw your post pop up :)
dandavis almost 10 years

great minds think alike. can i ask, are you 100% ok with this sort of mod? it feels a little risky/dirty to me, even though i can't see the harm.
Bergi almost 10 years

99%. Same risks as always when messing with builtin objects: they might be implemented differently than you thought. From instance-specific methods to non-writable .send properties, to the send method not inheriting .apply all quirks is possible (old IEs were known to have such oddities in their DOM). However, in modern browsers this will work, they respect the Web-IDL spec for how to implement the HTML5 apis in javascript.