Allow setting trusted domains that can receive the XSRF token
See original GitHub issueIn my application, I’m trying to add csrf token to my laravel API. AS per the documentation I added the below code
HttpClientXsrfModule.withOptions({ cookieName: 'XSRF-TOKEN', headerName: 'X-CSRF-TOKEN' }),
It doesn’t add the token to the post-login request. And laravel expecting token for login
Request Method: POST Status Code: 500 Internal Server Error Remote Address: 192.168.10.10:80 Referrer Policy: no-referrer-when-downgrade Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: * Access-Control-Allow-Origin: * Cache-Control: no-cache, private Connection: keep-alive Content-Type: text/html; charset=UTF-8 Date: Thu, 26 Mar 2020 07:57:23 GMT Server: nginx/1.15.8 Set-Cookie: laravel_session=eyJpdiI6Ikg3VUlidm5MVG92UVdrc1RjU1U1UEE9PSIsInZhbHVlIjoiZCtFcTU1bmsxZm1jUkdhZU8wV1o5Z0FnNmpUZUNQekI4V1h6QUJnaUxyU1FEeUZEUU1MQ2V1SVQ0andHclhrRXRuRmVSbVdRUldiU0NyZkJWYm1COHc9PSIsIm1hYyI6IjM3ODFhYTU3MjY3ZDY1YjIwM2ExOGI2YjMzNWNmNzhhZjA0NWNjYTBlYmVmMGRjNzJlNmU4N2E5NjcwZDgzYmQifQ%3D%3D; expires=Thu, 26-Mar-2020 09:57:23 GMT; Max-Age=7200; path=/; HttpOnly Transfer-Encoding: chunked Accept: application/json, text/plain, / Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: keep-alive Content-Length: 34 Content-Type: application/json Host: qa.api.platform Origin: http://localhost:4200 Referer: http://localhost:4200/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:7 (4 by maintainers)
Well, reading the code, it looks like absolute paths are ignored in the filter and demand a custom implementation as documented in the code: https://github.com/angular/angular/blob/f8096d499324cf0961f092944bbaedd05364eea1/packages/common/http/src/xsrf.ts#L78
But IMHO, the interceptor should not assume that a absolute path has a diferent origin, because it’s common in development to have a backend running in a different port, but still using the same origin.
Maybe this would open a security breach, but this last part is just a guess.
Just a heads up that we kicked off a community voting process for your feature request. There are 20 days until the voting process ends.
Find more details about Angular’s feature request process in our documentation.