Elliot Cameron
Elliot Cameron
@fizruk Right, yes. I should have been clearer. I actually hope to use servant specs as the engine for generating docs for such APIs.
Exactly! I suspected this but failed to report it. Thanks for the detail. In the meantime I disable XSRF and check the `Origin`/`Referer` headers in my fork #54.
My fork has the third option implemented (check origin and referer), but I've never had time to write tests for it. If anyone wants to try that I'd be very...
FWIW, I think the trouble with Double-Submit is that it's designed for traditional page-by-page apps (no AJAX). With AJAX-heavy apps or SPA, you need to use something else.
> It's probably fine to reset it only on login/logout. I recall seeing this option used for SPA. This would be great to have.
> Add option without cookies #54 should accomplish this but it doesn't have test coverage yet.
I should also mention that #54 also adds a `clearSession` function which was missing from the API. This is needed for any sort of manual log out. It seems pretty...
:+1: Really cool feature! Having totally self-contained web-apps is a very rare thing indeed!
Actually, this same thing would be useful for response types as well. Perhaps there's a more general solution that would be useful in every case.
What about performance?