New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[5.8] Remove unnecessary X-CSRF-TOKEN header from our Axios instance #5083
Merged
taylorotwell
merged 1 commit into
laravel:master
from
jessarcher:remove-unnessecery-code
Aug 21, 2019
Merged
[5.8] Remove unnecessary X-CSRF-TOKEN header from our Axios instance #5083
taylorotwell
merged 1 commit into
laravel:master
from
jessarcher:remove-unnessecery-code
Aug 21, 2019
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is unnessecery code because Axios already automatically adds a X-XSRF-TOKEN header from the XSRF-TOKEN cookie encrypted value on same-origin requests. The `VerifyCsrfToken` middleware and Passport's `TokenGuard` already allow using the `X-XSRF-TOKEN` header.
jessarcher
changed the title
Remove unessecery X-CSRF-TOKEN header from our Axios instance
Remove unnecessary X-CSRF-TOKEN header from our Axios instance
Aug 21, 2019
driesvints
changed the title
Remove unnecessary X-CSRF-TOKEN header from our Axios instance
[5.8] Remove unnecessary X-CSRF-TOKEN header from our Axios instance
Aug 21, 2019
Maybe this is best targetting 6.0? |
@GrahamCampbell not sure why since this isn't a breaking change. The skeleton is only used for new installs. |
jenky
added a commit
to jenky/laravel
that referenced
this pull request
Aug 23, 2019
Remove manual adding of X-CSRF-TOKEN header (laravel#5083)
Closed
What about the meta tag? Can’t that be removed as well? |
laravel/echo still depends on it I can't think of any reason off the top of my head why it couldn't be modified to use the |
ncatanchin
added a commit
to ncatanchin/laravel
that referenced
this pull request
Aug 30, 2019
This reverts commit aa74fcb.
Omranic
added a commit
to rinvex/cortex
that referenced
this pull request
Sep 3, 2019
This is unnessecery code because Axios already automatically adds a X-XSRF-TOKEN header from the XSRF-TOKEN cookie encrypted value on same-origin requests. The `VerifyCsrfToken` middleware and Passport's `TokenGuard` already allow using the `X-XSRF-TOKEN` header.
This was referenced Sep 9, 2019
Omranic
added a commit
to rinvex/cortex
that referenced
this pull request
Nov 23, 2019
* release/v2.2.0: (24 commits) Bump version Apply fixes from StyleCI Upgrade Laravel to v6.5 Update clockwork .gitignore file Override config files Upgrade to Laravel v6.3 Add missing config options Fix phone number input display issue Add new reauthentication config option Update config files to Laravel v6.2 Cast process.env.MIX_HASHIDS_LENGTH to number to fix JS error Update project to Laravel v6.2 Upgrade to Laravel v6 and update composer / npm packages Update jquery.validation library Use singular guard names for email verification brokers Use singular for passwords Enforce consistency Remove manual adding of X-CSRF-TOKEN header (laravel/laravel#5083) Update config files & enforce consistency Update media config options ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In
bootstrap.js
we currently add aX-CSRF-TOKEN
HTTP header (note the 'C') to the Axios instance that we instantiate, using the value of a<meta>
tag added by the auth scaffolding. This is not necessary because Axios already has similar functionality enabled by default where it will add aX-XSRF-TOKEN
HTTP header (note the second 'X') using the value of theXSRF-TOKEN
cookie.On a current installation of Laravel, our Axios instance requests have both the
X-CSRF-TOKEN
and theX-XSRF-TOKEN
HTTP headers. The only difference is theX-CSRF-TOKEN
value is unencrypted, while theX-XSRF-TOKEN
value is encrypted.I believe we can safely remove the
X-CSRF-TOKEN
HTTP header configuration frombootstrap.js
because Laravel already verifies requests using theX-XSRF-TOKEN
HTTP header in theVerifyCsrfToken
middleware. The same is also now true for Passport >=7.4TokenGuard
for users consuming their API with JavaScript.I have verified that this works on a fresh Laravel 5.8 installation for Axios POST requests going through our
web
middleware group, as well as requests going through theauth:api
middleware when Passport is configured as linked above.I have submitted a draft PR at laravel/docs#5382 to update the docs if this is accepted.