alan-agius4
commented
2 weeks ago Hi @surajchopra1234, are you using withFetch? and which Angular CLI builders are you using?
Open surajchopra1234 opened 2 weeks ago
alan-agius4
commented
2 weeks ago Hi @surajchopra1234, are you using withFetch? and which Angular CLI builders are you using?
surajchopra1234
commented
2 weeks ago Hi @alan-agius4
I am using withFetch and new application builder in angular.
alan-agius4
commented
2 days ago It seems that XSRF does not work for URLs with protocols due the implementation in the framework, see: https://github.com/angular/angular/blob/f1e3ec2601dac808af87137bc5ae5e28f512e9f4/packages/common/http/src/xsrf.ts#L100-L101
This limitation is due to variations in the cookies set across different origins. However, it doesn't handle the case of a cookie being shared between sub-domains. Can you confirm if this is the type of cookie in your scenario?
Protocol-less URLs, are solely managed by browsers, thus incompatible with environments like Node.js. The browser determines the protocol based on the current page, making this feature nonfunctional on servers. Additionally, the usage of protocol-less URLs has become less common due to various drawbacks:
On the server side while doing SSG/SSR, the XSRF token currently is being noop'd. see: https://github.com/angular/angular/blob/f1e3ec2601dac808af87137bc5ae5e28f512e9f4/packages/common/http/src/xsrf.ts#L74-L76 While it's feasible to adjust this behavior for SSR, in the case of SSG, the token will remain undefined. This occurs because there is no request during SSG, preventing retrieval of the cookie from the document or request.
This would require the framework to support a different approach, either by setting an value of the token via an environment variable example XSRF_TOKEN="blabla" ng build or being set in the application as a DI token.
const serverConfig: ApplicationConfig = {
providers: [
provideServerRendering(),
{
provide: XSRF_TOKEN,
useFactory: () => generateXsrfToken()
}
]
};Hi @alan-agius4,
Thank you for working on this issue.
Backend: Located at api.domain.com
Angular App: Running on www.domain.com
XSRF Cookie: Domain is set to.domain.com, making it accessible from both api.domain.com and www.domain.com
https://api.domain.com/api/user ) would solve all the issue and allow us to have consistent URLs across SSR, SSG, and client-side browser.
Which @angular/* package(s) are the source of the bug?
common
Is this a regression?
Yes
Description
My backend API resides at
api.domain.comI'm using the path
//api.domain.com/api/productfor fetching data within the Angular app. This approach is necessary because withXsrfConfiguration() doesn't function correctly with absolute paths (e.g., https://api.domain.com/api/product).While this relative path (
//api.domain.com/api/product) works properly during runtime, it fails to resolve correctly during SSG build time. This results in no data for the product prerendered page.Interestingly, absolute paths do work during SSG, but they prevent the use of withXsrfConfiguration, which is crucial for Cross-Site Request Forgery (CSRF) protection.
Is there a known workaround to address the incompatibility between withXsrfConfiguration and relative paths in SSG in Angular 17.
Also, if we use proxies and have a relative URL like
/api/product, this might work with withXsrfConfiguration but not in SSG.Conclusion
// (protocol-relative) and / (root-relative)work with withXsrfConfiguration but not in SSG and Absolute URLs work in SSG but not with withXsrfConfiguration.Please provide a link to a minimal reproduction of the bug
No response
Please provide the exception or error you saw
No response
Please provide the environment you discovered this bug in (run
ng version)Anything else?
No response