New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document AMP CSRF solution #9471
Comments
So they're not needed? Is it because of the requirements that are already in place for amp-form and the action-xhr attribute? |
See this documentation: https://github.com/ampproject/amphtml/blob/master/spec/amp-cors-requests.md#verify-state-changing-requests The same page is also there somewhere on the official website somewhere. |
Definitely not clear there whether they are required. :) |
/cc @bpaduch |
will look @ in: Q2 |
Thanks! /cc @lswang1618 as she might have more insight into what e-comm developers need in this area |
AMP will need to add functionality to amp-form to enable XSRF token support, since XSRF tokens are usually added to forms by the server rendering the HTML, which does not work for AMP since the document will be cached. So the token needs to be requested and rendered into the form by AMP. This CSRF token feature has been partially spec'd and will be necessary to allow file upload (#9791) and password fields (#10902) in non-XHR forms. |
Some update about enable CSRF token in forms? I use Rails as backend and for security we need that CSRF token to be send on parameters, but this token should be the same as |
Essentially there is no need for a CSRF token, checking |
I've gotten the question a couple times as to whether AMP supports CSRF tokens — it would be great to clearly articulate in the amp-form documentation how CSRF is handled, and why tokens are not needed.
/cc @aghassemi
The text was updated successfully, but these errors were encountered: