feat(common): on-by-default XSRF support in HttpClient #18108
Conversation
|
You can preview 3f24287 at https://pr18108-3f24287.ngbuilds.io/. |
| * found in the LICENSE file at https://angular.io/license | ||
| */ | ||
|
|
||
| import {DOCUMENT, ɵparseCookieValue as parseCookieValue} from '@angular/common'; |
There was a problem hiding this comment.
you might as well move ɵparseCookieValue into common/http, no?
There was a problem hiding this comment.
That would introduce a dependency from @angular/platform-browser on @angular/common/http, which I'd rather avoid.
| @@ -1127,6 +1127,20 @@ export declare class HttpXhrBackend implements HttpBackend { | |||
| } | |||
|
|
|||
| /** @experimental */ | |||
| export declare class HttpXsrfModule { | |||
| static disabled(): ModuleWithProviders; | |||
|
You can preview 65a508c at https://pr18108-65a508c.ngbuilds.io/. |
| // Skip both non-mutating requests and absolute URLs. | ||
| // Non-mutating requests don't require a token, and absolute URLs require special handling | ||
| // anyway as the cookie set | ||
| // on our origin is not the same as the token expected by another origin. |
There was a problem hiding this comment.
And if the URL is absolute and the origin is the same? Still testing, but I am experiencing a breaking change here with absolute API URL.
There was a problem hiding this comment.
Confirmed. XSRF token header is not added if the URL is absolute. While it is not a breaking change exactly, because the HttpClient is a new class, I see no reasons why absolute URLs are wrong. A case where absolute URL is a good thing: I store the base URL in environment.ts and use it in HttpClient, as well as in WebSocket where I replace "https://" with "wss://" (WebSocket requires absolute URL). Having a relative URL will force me to think about how to make URL relative before each HTTP request.
There was a problem hiding this comment.
I just ran into this issue. My API is actually located at a totally different URL (and server) from where my app is served which requires me to use absolute URL. It sounds like some sort of white-list is necessary for this option, or another flag on HttpClient.Post() options.
There was a problem hiding this comment.
My API uses collection-json which relies heavily on links (absolute URLs), my app constantly uses those links to POST, DELETE etc. This breaks my app and I can't migrate from Http unless I manually convert every link to relative before the request.
@IgorMinar @alxhub Is it necessary to disallow xsrf when using absolute url?
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
No description provided.