This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2016-04-10
Channels
- # admin-announcements (1)
- # boot (464)
- # braid-chat (4)
- # cider (6)
- # cljs-dev (7)
- # cljsrn (1)
- # clojars (1)
- # clojure (26)
- # clojure-france (1)
- # clojure-japan (6)
- # clojure-russia (35)
- # clojure-uk (3)
- # clojurescript (25)
- # cursive (5)
- # hoplon (389)
- # om (20)
- # om-next (1)
- # onyx (5)
- # other-lisps (1)
- # overtone (9)
- # planck (12)
- # proton (7)
- # re-frame (10)
- # reagent (13)
- # ring (23)
- # spacemacs (11)
is there anything i need to add to my ajax request for anti-forgery
to work? I'm getting invalid token errors every time 😞
sd: Either an __anti-forgery-token
parameter, or a x-csrf-token
header or a x-xsrf-token
header.
The README explains it.
The token is compared to the token in the session.
The problem with POSTs is that they don’t adhere to the same-origin policy
Because they predate it.
So someone can create a form on their own website
Use Javascript to automatically POST it
And the form will be POSTed to your website with your website's session
The way to stop it is to also pass along a secret token that is compared to the session.
So the user needs to be logged in, and POSTing from a page under your control.
ring-anti-forgery stores this token in *anti-forgery-token*
I saw that token, and it matched the :ring.middleware.anti-forgery/anti-forgery-token
in :session
since the ajax requests are being submitted with the cookie, i figured the token could be extracted that way
No, because the cookie isn’t safe.
The anti-forgery-token needs to be in the session and passed through a parameter.
and it's alright to just send the token to the client at some point, to include in your ajax requests?
Yeah. The point of the token is to make sure that the request comes from a page under your control.