Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Allow both encrypted + unencrypted CSRF header token #7528
I know something similar has been submitted before, but currently CSRF works for these situations:
But it doesn't for other common use-cases:
Some frameworks/scripts already use this convention. like Jquery UJS
We see a lot of issues by people not understaning the decryption or need to remove it. This will allow all cases:
And a section would needed to be added to the docs, but I'm willing to write that, with a few simple examples.