Play Framework Security Advisory

CSRF Bypass


4 Mar 2016


A vulnerability has been found in Play’s CSRF support.

The Chrome Beacon extension allows non preflighted, non form cross origin POST requests, which invalidates the Play CSRF filters assumption that only form POST requests are subject to CSRF attacks.


Play’s CSRF check can be bypassed when the victims browser is Chrome.

Affected Versions


Set the following configuration in application.conf:

play.filters.csrf.contentType {
  blackList = []
  whiteList = ["none"]

Note that this will, for example, cause all POST application/json requests to need a CSRF check.


Upgrade to Play 2.5.0. Details on how Play 2.5 has been modified to provide better CSRF protection and what needs to be done to upgrade can be found here.


Credit for finding this vulnerability goes to David Black from Atlassian.