CSRF token support. #148
CSRF token support. #148
Conversation
…ded for using Devise/Warden authentication with rails, and also other apps that require a valid token for xhr
|
Thanks for your contribution, but it's already possible to add arbitrary request headers using the requestHeaders option. |
|
Sorry, I didn't think to look in the code to see if you'd added something for that, just did a quick docs scan. I'll just use that option then. Thanks again! |
|
Nah, it's my fault, should have documented it along with adding the feature. |
|
Hi there, I just took a look at those links and can't seem to find the requestHeader options. Have they been moved? |
|
Since version 5, the plugin accepts all $.ajax parameters as part of its options object. However please note that the Iframe Transport (required by IE and Opera) doesn't support setting request headers. |
|
Thanks for that! |
|
Using the headers option like this: $('#fileupload').fileupload({
dropZone: $('#dropzone'),
headers: {
'X-CSRF-Token': csrf_token
}
});Seems to do the trick for file uploads, however the header is not attached in the destroy action (when clicking the delete button). It seems that the _getAJAXSettings() method is not invoked inside the destroy() handler. @blueimp ? |
|
That's because deleting files is not part of the core plugin, it's only part of the UI version. $('#fileupload').fileupload({
headers: {
'X-CSRF-Token': csrf_token
},
destroy: function (e, data) {
data.headers = $(this).data('fileupload')
.options.headers;
$.blueimpUI.fileupload.prototype.options.destroy
.call(this, e, data);
}
}); |
|
Thanks, this did the trick. However, I had to slightly amend the last line based on the Plugin extensions example to include a .options.: destroy: function (e, data) {
data.headers = $(this).data('fileupload').options.headers;
$.blueimpUI.fileupload.prototype.options.destroy.call(this, e, data);
} |
|
You're totally right, the ".options" was missing - I was typing it out of memory, my mistake. :D |
|
There is the possibility of putting an ajax call inside the method? $('#fileupload').fileupload({ when I do that then he give the following error TypeError: that is undefined that._adjustMaxNumberOfFiles(1); |
|
@blueimp Could you provide an example of how to implement your suggestion for using URL parameters for iframe upload? Finding it difficult to adapt your example of extending options for Delete. Much appreciated. |
|
You can use formData to send CSRF tokens: |
|
Hey, I am using codeigniter CSRF and I am unable to send the token. Can you please tell me how can I do it. |
|
I might be stupid, but when I do this: the deletion is working, but it is not removed from the page. $.blueimpUI is not defined for me. |
I've added CSRF (cross-site request forgery token) support, as I needed it for a rails app which uses the Devise user authentication library.
Looks for a CSRF meta tag on the page, and if found adds a X-CSRF-Token header to the request.
An alternate implementation would be to add an option to either set the csrf token manually, or just one that allows adding arbitrary headers. If you'd prefer I can work something like one of those up.
Thanks for your great work on the library, it's making file uploads much easier for me!