Closed empijei closed 3 years ago
Currently we validate CSRF tokens based on paths, but this makes writing applications very hard.
For example a "logout" button cannot post to a "/logout" endpoint from a "/profile" page or it will be blocked.
This protection mechanism is aimed at protecting from cross-site forgery anyways, not cross-path forgery.
Currently we validate CSRF tokens based on paths, but this makes writing applications very hard.
For example a "logout" button cannot post to a "/logout" endpoint from a "/profile" page or it will be blocked.
This protection mechanism is aimed at protecting from cross-site forgery anyways, not cross-path forgery.