Cross-site request forgery issues with LTI 1.1.1?

Cross-site request forgery issues with LTI 1.1.1?

Hi Chuck

Thanks for the answer to my previous question. I had make a new post, as the reply button displayed the message "We're sorry, but you can't post comments here!".

Yes, the document does mention CSRF. But it does not help me much. Is it possible to be more specific? I maintain several sites that uses LTI 1.1.1, and I need to know it these sites are affected. We will of cause want to update to LTI 1.3, but as this needs to be done both for the Tool Consumer and Tool Provider, it is often quite impractical.

My understanding of CSRF, is that it is all about tricking a user, so his/here browser makes faked GET and POST request on his/here behalf. These fake requests can be especially dangerous because the browser will automatically send session cookies. LTI 1.1.1 does not use cookies.

LTI 1.1.1 communicates via OAuth 1 signed form posts (with an nonce that prevent re submissions). It is my understanding that it is not possible to sign these form posts without knowing the secret. It might be possible to use CSRF to trick the Tool Consumer to make a signed form post, but that is an security issue with the Tool Consumer (not LTI 1.1.1)

Is it maybe some of the LTI extensions that are vulnerably?