Support for CSRF?

[selenwall]

I don't know if this should go as an issue, but I can't find any documentation on the support for CSRF.

For now, if there aren't such support in whatwg-fetch I would just need to know how I should be able to fetch X-CSRF-TOKEN from the header of OPTIONS request made during CORS preflight. I need this token to use in next request.

[annevk]

I don't really follow your question. CSRF is not a feature, it's an attack. There's various ways to mitigate that attack, but no particular one is standardized.

[annevk]

Closing due to lack of follow up.

[taodongl]

There is the functionality at ajax library https://github.com/mzabriskie/axios:
read token from cookie:XSRF-TOKEN and write the value to http header:X-XSRF-TOKEN
The similar mechanism is used by angular too.

[annevk]

Okay, libraries can continue to do that on top of fetch(). We're not going to make that part of the standard library however.

[jakearchibald]

See https://tools.ietf.org/html/draft-west-first-party-cookies-07 for mitigations against csrf