Closed jacovig closed 4 years ago
Thanks for the report, PR welcome!
This issue seems to be with ring-defaults
more than sente
... ?
I don't see a way Sente can get a csrf with the current ring wrap-defaults
site-defaults
behavior, so custom middleware wrapping is required.
This seems like a really bad default for ring; I'll try to raise an issue on ring-defaults.
Ring now puts anti-forgery in the request (for ring-defaults 0.3.2+) https://github.com/ptaoussanis/sente/pull/323 ^^ this small change looks for the token and uses it if available, and resolves the Sente issue.
When your first url (e.g. /index.html) exists in resources, no csrf token is ever transmitted. Seems to be due to wrap-resources taking place before wrap-anti-forgery in wrap-default and so stealing the request, that does not get anti-forgery. Changing order (first anti-forgery, next wrap-resources) works like a charm.