[Owncloud] Race condition with CSRF protection token initialization
Christian Reiner
foss at christian-reiner.info
Thu Aug 23 20:10:54 UTC 2012
Hello all,
I experience problems during app initialization from time to time. These
problems can be tracked down to a race condition in the app setup. It is a
general issue with the CSRF protection:
When using an ajax call during app initialization (say to fetch additional
dialogs or something) this is usually done inside a dynamic function called
from within a jquery $(document).ready() call. For these ajax calls the CSRF
protection token is required to be present, or better the token has to be
bound as an additional request parameter to all calls. This binding is done by
a small js script embedded in the pages head section. It is meant to be run
after jquery is present but before any further action is started.
However now and then it happens that the initializing ajax calls are fired
_before_ that binding is completed. Therefore the ajax calls fail (CSRF
protection), thus the apps fail to initialize. I managed to reduce these
problems by wrapping them inside a $(window).load() instead of a
$(document).ready(), but this is far from being a good idea. Besides an
obvious performance penalty this does not reliably fix the problem. Another
strategy might be to check if the binding has occurred already (or wait for it
if not). But this is clearly the wrong place to fix this issue.
The inclusion of the CSRF protection token has to be changed in such way that
it is guaranteed that the token is bound before any further code (OC or app
specific) is started.
Anyone got an idea for this?
--
Christian Reiner (arkascha)
[ foss at christian-reiner.info ]
More information about the Owncloud
mailing list