Closed mingard closed 6 years ago
Can you give an example of a scenario where you'd want to skip CSRF protection?
An AJAX call to an RSS feed.
I've discovered that even if a csrf token exists as a hidden form field, an XMLHTTPRequest will not work, possibly because there's no session.
One method I've written since opening this ticket is the following:
var formData = new FormData(e.target);
var request = new XMLHttpRequest();
var method = e.target.getAttribute('method');
request.open(method);
if (formData.get("_csrf")) {
request.setRequestHeader("X-CSRF-Token", formData.get("_csrf"));
}
Still, in circumstances where there are no exploit vectors, it would be good to add some flexibility.
An AJAX call to an RSS feed? Should this not be a GET request, rather than a POST?
Bad example - I've used this in a request that update a session value based on the submission of a form which in turn returns a success boolean.
Rather than adding a whitelist, I will document this approach.
There are some instances where a particular URI doesn't require protection. It would be useful to be able to whitelist these.
Current
Proposed