chore: Clarify CSRF token comments (#9897) (#9911)

CSRF tokens in Vaadin follow the "synchronizer token pattern" rather than the double submit cookie that some code comments refer to. Existing comments are clarified to avoid confusion for anyone reviewing our security practices. Co-authored-by: Leif Åstrand <leif@vaadin.com>
vaadin · Feb 5, 2021 · b357ba4 · b357ba4
1 parent 51df66e
commit b357ba4
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 6 deletions.
diff --git a/flow-client/src/main/java/com/vaadin/client/communication/MessageHandler.java b/flow-client/src/main/java/com/vaadin/client/communication/MessageHandler.java
@@ -701,8 +701,8 @@ public int getLastSeenServerSyncId() {
     }
 
     /**
-     * Gets the token (aka double submit cookie) that the server uses to protect
-     * against Cross Site Request Forgery attacks.
+     * Gets the token (synchronizer token pattern) that the server uses to
+     * protect against CSRF (Cross Site Request Forgery) attacks.
      *
      * @return the CSRF token string
      */

diff --git a/flow-server/src/main/java/com/vaadin/flow/component/UI.java b/flow-server/src/main/java/com/vaadin/flow/component/UI.java
@@ -1183,7 +1183,7 @@ public Component getActiveDragSourceComponent() {
     }
 
     /**
-     * Gets the CSRF token (aka double submit cookie) that is used to protect
+     * Gets the CSRF token (synchronizer token pattern) that is used to protect
      * against Cross Site Request Forgery attacks.
      *
      * @return the csrf token string

diff --git a/flow-server/src/main/java/com/vaadin/flow/server/VaadinService.java b/flow-server/src/main/java/com/vaadin/flow/server/VaadinService.java
@@ -1905,7 +1905,7 @@ public static boolean isOtherSessionLocked(VaadinSession session) {
     }
 
     /**
-     * Verifies that the given CSRF token (aka double submit cookie) is valid
+     * Verifies that the given CSRF token (synchronizer token pattern) is valid
      * for the given UI. This is used to protect against Cross Site Request
      * Forgery attacks.
      * <p>

diff --git a/flow-server/src/main/java/com/vaadin/flow/server/VaadinSession.java b/flow-server/src/main/java/com/vaadin/flow/server/VaadinSession.java
@@ -1039,7 +1039,7 @@ public StreamResourceRegistry getResourceRegistry() {
     }
 
     /**
-     * Gets the CSRF token (aka double submit cookie) that is used to protect
+     * Gets the CSRF token (synchronizer token pattern) that is used to protect
      * against Cross Site Request Forgery attacks.
      *
      * @return the csrf token string

diff --git a/flow-server/src/main/java/com/vaadin/flow/server/communication/ServerRpcHandler.java b/flow-server/src/main/java/com/vaadin/flow/server/communication/ServerRpcHandler.java
@@ -126,7 +126,8 @@ public RpcRequest(String jsonString, VaadinRequest request) {
         }
 
         /**
-         * Gets the CSRF security token (double submit cookie) for this request.
+         * Gets the CSRF security token (synchronizer token pattern) for this
+         * request.
          *
          * @return the CSRF security token for this current change request
          */