WCF icon indicating copy to clipboard operation
WCF copied to clipboard

Published 20 hours ago verified publisher icon WoltLab

Pass the CSRF token for Ajax requests in an X-XSRF-TOKEN request header

Open TimWolla opened this issue 5 years ago • 2 comments
trafficstars

… add this header automatically for same-site requests and pull the value out of the X-XSRF-TOKEN cookie.

Rationale: Passing the CSRF token as an URL parameter is questionable. The described behavior is compatible with common JavaScript frameworks.

Depends on #3593

TimWolla avatar Oct 15 '20 15:10 TimWolla

Blocked on #3543. It does not make sense to make functional changes while everything is in-flux.

TimWolla avatar Oct 27 '20 13:10 TimWolla

This probably will become easier with increased PSR-7 use. Moving to 5.6.

TimWolla avatar Sep 20 '21 14:09 TimWolla

The header will automatically be consumed by the Xsrf middleware that was added in #5059.

TimWolla avatar Nov 11 '22 14:11 TimWolla