litestar icon indicating copy to clipboard operation
litestar copied to clipboard

Published 20 hours ago verified publisher icon litestar-org

Bug: Mandatory CSRF header hard to fill in javascript

Open dylandoamaral opened this issue 4 months ago • 1 comments

Description

Hi today, CSRF request client to both send the cookie and a header however I have trouble to send the header since the cookie is a httpOnly one that I can't access in my javascript app. I don't understand why we need both, why is it mandatory, and if it is, how should I process to retrieve the cookie value to feed the header ?

Steps to reproduce

1. Run `document.cookie` when there is a CSRF token in a web browser
2. Find out we can't retrieve it, so when can feed the CSRF header

Litestar Version

2.12.1

Platform

  • [X] Linux
  • [ ] Mac
  • [ ] Windows
  • [ ] Other (Please specify in the description above)

[!NOTE]
While we are open for sponsoring on GitHub Sponsors and OpenCollective, we also utilize Polar.sh to engage in pledge-based sponsorship.

Check out all issues funded or available for funding on our Polar.sh dashboard

  • If you would like to see an issue prioritized, make a pledge towards it!
  • We receive the pledge once the issue is completed & verified
  • This, along with engagement in the community, helps us know which features are a priority to our users.
Fund with Polar

dylandoamaral avatar Oct 16 '24 18:10 dylandoamaral