問題タブ [x-xsrf-token]
For questions regarding programming in ECMAScript (JavaScript/JS) and its various dialects/implementations (excluding ActionScript). Note JavaScript is NOT the same as Java! Please include all relevant tags on your question; e.g., [node.js], [jquery], [json], [reactjs], [angular], [ember.js], [vue.js], [typescript], [svelte], etc.
angularjs - Adding Angular XSRF to Slim app - Is this sound?
I created an app using Slim 2 a while ago and I'm trying to add Angular. It's been going well so far, but I can no longer use the CSRF protection that I was using since Angular is handling all my post requests. Below is the Before Middleware I had working.
}
I know that angular automatically looks for a token named XSRF-TOKEN and adds it to the header as X-XSRF-TOKEN. How can I modify the middleware below to write, read, and compare the correct values.
EDIT:
After looking at this again and checking the slim documentation, I changed the line:
to this:
If I'm right, this assigns the $submittedToken the value passed as X-XSRF-TOKEN in the header. It's throwing the exception with the message from the middleware "CSRF token mismatch". This feels like progress. Below is the relevant Angular:
EDIT
Below is where the php code stands now. I think this is working. I've received the expected CSRF error when I remove the cookie or alter the value of the $token before submitting a form. I'm a little concerned about what will happen when I have multiple users on. I haven't tested it yet. Based on this revision, does the protection appear sound?
angularjs - クロスオリジンで XSRF トークンが送信されないのはなぜですか?
これは、github の Angularjs 1.6.4 のファイル http.js からのスニペットです。
リクエストが同じオリジンに対するものである場合にのみ、XSRF トークンが含まれるのはなぜですか? Restful バックエンドがフロントエンドとは異なるホストにある場合でも、XSRF を使用すべきではないでしょうか?