Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding `xsrf` configuration option to allow for toggling of XSRF protection #98

Closed
wants to merge 3 commits into from

Conversation

@skevy
Copy link

commented Aug 3, 2015

New default is disabled. Potentially breaking change for some, but enables axios to work on client-side JS platforms other than the browser (e.g. react-native).

@skevy

This comment has been minimized.

Copy link
Author

commented Aug 3, 2015

Would help with #70, though without further testing I'm not sure it would fully resolve.

@skevy

This comment has been minimized.

Copy link
Author

commented Aug 3, 2015

I'm confused about this test failure...not sure it has anything to do with my code. Seems like a configuration issue.

@skevy skevy force-pushed the skevy:optional-xsrf branch from d9c7340 to 6388c27 Aug 3, 2015

@dfournier

This comment has been minimized.

Copy link
Contributor

commented Aug 4, 2015

I had the same problem. I opened a PR which fixes your problem. Have a look at #100 😄

@skevy

This comment has been minimized.

Copy link
Author

commented Aug 4, 2015

awesome. Thanks @dfournier! I'll wait to fix until #100 is merged and then I'll rebase.

@mzabriskie

This comment has been minimized.

Copy link
Member

commented Aug 5, 2015

@skevy try rebasing. Also, let's call the flag xsrfEnabled, and default it to true.

@skevy skevy force-pushed the skevy:optional-xsrf branch from 6a694f8 to 7e2d6f7 Sep 2, 2015

@skevy

This comment has been minimized.

Copy link
Author

commented Sep 2, 2015

@mzabriskie should be all set. Sorry for the delay on this :)

@skevy skevy referenced this pull request Sep 2, 2015

Closed

Upgrade axios to 0.6.0 #44

@mzabriskie

This comment has been minimized.

Copy link
Member

commented Sep 21, 2015

@skevy I was just about to merge this, when I had a thought. Why do we need a config option? I think that axios should be smart enough to know when it is not in a browser environment, and gracefully skip the XSRF stuff itself. This would allow it to work in a web worker as well.

Basically let's get rid of config.xsrfEnabled, keep your changes to lib/xhr.js, but test for typeof window !== 'undefined'.

@skevy

This comment has been minimized.

Copy link
Author

commented Sep 25, 2015

@mzabriskie while I think the idea is right, I'm not sure what the best way to detect that would be. At the moment, especially when running in debug mode, there's really no way to easily tell whether RN is a browser or not. There's an open proposal to add something to navigator to help with this: facebook/react-native#1331

@mzabriskie

This comment has been minimized.

Copy link
Member

commented Sep 25, 2015

@skevy would it matter if react-native is running in the browser? In that case it will try adding the xsrf cookie as a header to the request. But if the cookie doesn't exist, no harm done. The real problem is avoiding a reference to window.location or document.cookie when they don't exist. In debug mode they exist, and we're no worse for the wear.

@mzabriskie

This comment has been minimized.

Copy link
Member

commented Sep 29, 2015

I had @tylermcginnis do some testing for me. Here are the findings:

window.location: {host: "localhost:8081"}
document.cookie: ""
document.createElement: null

These are the only browser specific references that axios is using for xsrf protection. I believe that if we test around these conditions, we can make axios work in react-native.

@tylermcginnis

This comment has been minimized.

Copy link

commented Sep 29, 2015

Let me know if you need any more help, glad to help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.