csrf-magic icon indicating copy to clipboard operation
csrf-magic copied to clipboard
verified publisher icon ezyang

Sometimes, csrf magic interferes with my json request.

Open rhedin opened this issue 8 years ago • 2 comments

About half the time I find "junk" in my request payload. Naturally, the site I am communicating with complains. {"message": "Unsupported JSON format : Could not create a JSON event when trying to serialize"}

__csrf_magic=sid:1abf8...,1485208109&{"sessionId": "johnsSession", ... "productId": "berli18"}

The other half of the time, the payload is not affected. I get a 200 back.

{"sessionId": "johnsSession", ... "productId": "berli18"}

Is there some technique to leave particular requests out of the special magic? I think you add something to XMLHttpRequest's prototype. Perhaps I should new the original object. Is that available somewhere?

rhedin avatar Jan 24 '17 15:01 rhedin

The original function is always saved as csrf_functionname; look in csrf-magic.js to see how its done. Maybe we should just split the JS file into two and make the overloading optional...

ezyang avatar Feb 04 '17 01:02 ezyang

I believe this was resolved by modifying the send and process functions to properly identify when objects were being used and thus inject the magic token as an element of the object rather than as a prefix string (which is incorrect).

netniV avatar Feb 23 '20 13:02 netniV