platform icon indicating copy to clipboard operation
platform copied to clipboard
verified publisher icon orchidsoftware

Prevent CSRF token from being leaked to cross-origin requests

Open Lucisu opened this issue 1 year ago • 1 comments

Currently, the code inside the html_load_controller.js makes the CSRF token being sent to every Axios and Turbo request:

https://github.com/orchidsoftware/platform/blob/7e63b9c68af945c09f1dbb50896ad9f135a0e324/resources/js/controllers/html_load_controller.js#L41-L46

This, however, leaks the token to cross-origin requests as well, defeating the whole purpose of CSRF protection.

This fix prevents the token from being leaked to cross-origin requests.

For Axios, it is certain that it needs to be implemented. For Turbo, I'm not sure the "turbo:before-fetch-request" is triggered during cross-origin requests, but I added the fix there as well, just in case.

Lucisu avatar Aug 31 '24 16:08 Lucisu

Hi! Thanks for pointing that out.

To be honest, I'm not sure it's still necessary to manually set the CSRF token this way. Back when Hotwire was still Turbolinks, it was required, but now the framework should automatically fetch the value from:

<meta name="csrf-token" content="[your-value]">

Maybe we should try removing this and rely entirely on the framework?

tabuna avatar Sep 01 '24 19:09 tabuna