Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Mandatory CSRF header hard to fill in javascript #3820

Open
1 of 4 tasks
dylandoamaral opened this issue Oct 16, 2024 · 2 comments
Open
1 of 4 tasks

Bug: Mandatory CSRF header hard to fill in javascript #3820

dylandoamaral opened this issue Oct 16, 2024 · 2 comments
Labels
Bug 🐛 This is something that is not working as expected

Comments

@dylandoamaral
Copy link

dylandoamaral commented Oct 16, 2024

Description

Hi today, CSRF request client to both send the cookie and a header however I have trouble to send the header since the cookie is a httpOnly one that I can't access in my javascript app. I don't understand why we need both, why is it mandatory, and if it is, how should I process to retrieve the cookie value to feed the header ?

Steps to reproduce

1. Run `document.cookie` when there is a CSRF token in a web browser
2. Find out we can't retrieve it, so we can't feed the CSRF header

Litestar Version

2.12.1

Platform

  • Linux
  • Mac
  • Windows
  • Other (Please specify in the description above)

Note

While we are open for sponsoring on GitHub Sponsors and
OpenCollective, we also utilize Polar.sh to engage in pledge-based sponsorship.

Check out all issues funded or available for funding on our Polar.sh dashboard

  • If you would like to see an issue prioritized, make a pledge towards it!
  • We receive the pledge once the issue is completed & verified
  • This, along with engagement in the community, helps us know which features are a priority to our users.
Fund with Polar
@dylandoamaral dylandoamaral added the Bug 🐛 This is something that is not working as expected label Oct 16, 2024
@provinzkraut
Copy link
Member

Not sure why http only has been made the default, it doesn't really need to be. However, we can't simply change this, as it could break things. Best we can do for now is make it configurable?

@litestar-org/members

@marcuslimdw
Copy link
Contributor

@provinzkraut curious - what would it break? isn't non-HttpOnly strictly more permissive?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug 🐛 This is something that is not working as expected
Projects
None yet
Development

No branches or pull requests

3 participants