search

wagtail / wagtail-autocomplete

An Autocomplete edit handler for selecting Pages, Snippets, and more.
https://wagtail-autocomplete.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
120 stars 55 forks source link

Search fails when CSRF Cookie is `HttpOnly` #149

Closed RealOrangeOne closed 1 year ago

RealOrangeOne commented 1 year ago

As part of https://github.com/wagtail/wagtail-autocomplete/pull/128, the search view was changed to a POST, which requires a CSRF token. axios is correctly configured to pull this from the client's cookies and add a header for it.

However, if the CSRF cookie is HttpOnly, Axios can't read it, and the request fails with HTTP 403.

Instead, it should be pulled from the client, perhaps using {% csrf_token %} in the template?

A work-around is to set CSRF_COOKIE_HTTPONLY to False, but that's far from nice, or particularly secure.

david-kort commented 1 year ago

I ran into the same problem when upgrading to the latest version. A fix would be much appreciated, but unfortunately I am not familiar with the subject myself.

harrislapiroff commented 1 year ago

Sorry for the delay on this—we'll look into it soon. Thanks for the report

joeyjurjens commented 1 year ago

I'll fix this issue somewhere this week, as I'm the one who caused it :P