Cross side request forgery (XSRF) support.

mgonto / restangular

AngularJS service to handle Rest API Restful Resources properly and easily

MIT License

7.87k stars 841 forks source link

Cross side request forgery (XSRF) support. #1113

Open joshikeerti opened 9 years ago

joshikeerti commented 9 years ago

From the angular documentation I see this- When performing XHR requests, the $http service reads a token from a cookie called XSRF-TOKEN and sets it as the HTTP header X-XSRF-TOKEN

Is this true in case of restangular as well or do we need to set anything explicitly?

miraage commented 9 years ago

Since Restangular uses $http - might be working.

jaltmanQ commented 8 years ago

Any update on this? I'm trying to implement XSRF protection and wondering if I'll be able to use Angular's implementation.

rdtome commented 6 years ago

subscribing to this issue. @miraage can't see this working on my project. I set the XSRF-TOKEN cookie but never get the X-XSRF-TOKEN header in return. maybe @mgonto would be able to confirm ?

I've tried adding this to my app :

.config(function($httpProvider){
    $httpProvider.defaults.xsrfCookieName = 'XSRF-TOKEN';
    $httpProvider.defaults.xsrfHeaderName = 'X-XSRF-TOKEN';
})

but it made no difference.

rdtome commented 6 years ago

I got there in the end, thanks to this stackoverflow thread.

It turns out that angularjs will only return the X-XSRF-TOKEN header if the XSRF-TOKEN cookie is set with the httpOnly flag to false.

And this gets it working for me. :-)