KTOR-6695 Add configuration warning when nothing is provided for CSRF

[bjhham]

Subsystem
Server, CSRF

Motivation

• KTOR-6695 CSRF: The allowOrigin method enables the Origin Header validation

Solution
After thinking about how to provide some default behaviour for the CSRF plugin, I am of the opinion that it would be unwise to select one of the mitigations automatically for the user. Instead, we ought to report an error for when it is an empty configuration. Personally, I'd rather throw an exception, but logging a warning should be enough.

[Stexxe]

Can you explain how the fix is related to the https://youtrack.jetbrains.com/issue/KTOR-6695?

[bjhham]

Yes, my assertion is that the default behaviour not enabling any validation is important, but we ought to inform the developer that it's not a valid configuration for CSRF.

As for the phrasing of "allow", I don't have any ideas atm. The current choice was just to maintain some similarity with CORS, but I understand the behaviour is different.

[Stexxe]

Yes, my assertion is that the default behaviour not enabling any validation is important, but we ought to inform the developer that it's not a valid configuration for CSRF.

As for the phrasing of "allow", I don't have any ideas atm. The current choice was just to maintain some similarity with CORS, but I understand the behaviour is different.

It might be important, but I don't see how the current changes fix the problem from the linked YouTrack issue.

[bjhham]

From what I understood, this issue is twofold: 1) nothing happens with the empty config, and 2) allow phrasing implies that something does happen, i.e. there is an implicit empty whitelist before calling this function. This is to address the first item. I'm open for suggestions on item 2.