question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Allow setting trusted domains that can receive the XSRF token

See original GitHub issue

In my application, I’m trying to add csrf token to my laravel API. AS per the documentation I added the below code

HttpClientXsrfModule.withOptions({ cookieName: 'XSRF-TOKEN', headerName: 'X-CSRF-TOKEN' }),

It doesn’t add the token to the post-login request. And laravel expecting token for login

Request Method: POST Status Code: 500 Internal Server Error Remote Address: 192.168.10.10:80 Referrer Policy: no-referrer-when-downgrade Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: * Access-Control-Allow-Origin: * Cache-Control: no-cache, private Connection: keep-alive Content-Type: text/html; charset=UTF-8 Date: Thu, 26 Mar 2020 07:57:23 GMT Server: nginx/1.15.8 Set-Cookie: laravel_session=eyJpdiI6Ikg3VUlidm5MVG92UVdrc1RjU1U1UEE9PSIsInZhbHVlIjoiZCtFcTU1bmsxZm1jUkdhZU8wV1o5Z0FnNmpUZUNQekI4V1h6QUJnaUxyU1FEeUZEUU1MQ2V1SVQ0andHclhrRXRuRmVSbVdRUldiU0NyZkJWYm1COHc9PSIsIm1hYyI6IjM3ODFhYTU3MjY3ZDY1YjIwM2ExOGI2YjMzNWNmNzhhZjA0NWNjYTBlYmVmMGRjNzJlNmU4N2E5NjcwZDgzYmQifQ%3D%3D; expires=Thu, 26-Mar-2020 09:57:23 GMT; Max-Age=7200; path=/; HttpOnly Transfer-Encoding: chunked Accept: application/json, text/plain, / Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: keep-alive Content-Length: 34 Content-Type: application/json Host: qa.api.platform Origin: http://localhost:4200 Referer: http://localhost:4200/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:2
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
delfinogomescommented, Apr 14, 2020

Well, reading the code, it looks like absolute paths are ignored in the filter and demand a custom implementation as documented in the code: https://github.com/angular/angular/blob/f8096d499324cf0961f092944bbaedd05364eea1/packages/common/http/src/xsrf.ts#L78

But IMHO, the interceptor should not assume that a absolute path has a diferent origin, because it’s common in development to have a backend running in a different port, but still using the same origin.

Maybe this would open a security breach, but this last part is just a guess.

1reaction
angular-robot[bot]commented, Jun 4, 2021

Just a heads up that we kicked off a community voting process for your feature request. There are 20 days until the voting process ends.

Find more details about Angular’s feature request process in our documentation.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ...
Attacks that exploit trusted cookies between apps hosted on the same domain can be prevented by not sharing domains.
Read more >
Angular 12 HttpClientXsrfModule - csrf - Stack Overflow
I need to enable XSRF protection. Angulars HttpClientXsrfModule does not allow me to set a trusted domain to send an XSRF token to....
Read more >
Cross-Site Request Forgery Prevention Cheat Sheet
CSRF tokens prevent CSRF because without a token, an attacker cannot create valid requests to the backend server. For the Synchronised Token Pattern,...
Read more >
Configure web browsers - IBM
Cookie Type Purpose caf Session temporary Contains security state information cc_session Session temporary Holds session information XSRF (Cross‑Site Request Forgery) Session temporary
Read more >
Complete Guide to CSRF/XSRF (Cross-Site Request Forgery)
This can have serious consequences like the loss of user confidence in the website ... CSRF attacks target websites that trust some form...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found