stripybadger (Migrated from SEC-2655) said:
The CsrfFilter sets the csrf token as an attribute in the request. This is great if you're using a jsp, as you can then embed the token into your page.
If you're not using a jsp, this is annoying. For example, many webapps now use simple html pages that load javascript, and then make ajax requests. It would be useful therefore if the CsrfFilter could set the token in a header as well. This would enable javascripty clients to extract the value from the header, store it, and then use it in subsequent ajax requests.
I'm aware that I could write an additional filter to achieve this, but it seems like something simple that could usefully be included in CsrfFilter.
Note that prior to 48283ec#diff-21c30055f2a19cf6fb7e1f8116ed07e5L77 it did used to return the token in a header - I'm not clear why though.
stripybadger (Migrated from SEC-2655) said:
The
CsrfFiltersets the csrf token as an attribute in the request. This is great if you're using a jsp, as you can then embed the token into your page.If you're not using a jsp, this is annoying. For example, many webapps now use simple html pages that load javascript, and then make ajax requests. It would be useful therefore if the
CsrfFiltercould set the token in a header as well. This would enable javascripty clients to extract the value from the header, store it, and then use it in subsequent ajax requests.I'm aware that I could write an additional filter to achieve this, but it seems like something simple that could usefully be included in
CsrfFilter.Note that prior to 48283ec#diff-21c30055f2a19cf6fb7e1f8116ed07e5L77 it did used to return the token in a header - I'm not clear why though.