diff --git a/.env.development b/.env.development
index d3bda7b1ab03fbd6a35a07aeb3aa3b9ffac21116..56d20a1a097ca357130f09697f35fc5f30a71963 100644
--- a/.env.development
+++ b/.env.development
@@ -1,2 +1,3 @@
VUE_APP_API_BASE_URL=http://localhost:8000/api/v1
VUE_APP_ROUTER_MODE=history
+VUE_APP_CSRF_ALL_ORIGINS=true
diff --git a/package-lock.json b/package-lock.json
index c791f5e328c7683cbd241e04bf80a6241ca1131f..ff3132a29e8006c0435736afd7b05857602a9bcd 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -12,7 +12,7 @@
"@sentry/integrations": "^7.16.0",
"@sentry/vue": "^7.16.0",
"ansi-to-html": "^0.7.2",
- "axios": "^1.4.0",
+ "axios": "^1.6.2",
"bulma": "^0.9.3",
"bulma-switch": "^2.0.0",
"bulma-tooltip": "^3.0.2",
@@ -4949,9 +4949,9 @@
}
},
"node_modules/axios": {
- "version": "1.6.1",
- "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.1.tgz",
- "integrity": "sha512-vfBmhDpKafglh0EldBEbVuoe7DyAavGSLWhuSm5ZSEKQnHhBf0xAAwybbNH1IkrJNGnS/VG4I5yxig1pCEXE4g==",
+ "version": "1.6.2",
+ "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.2.tgz",
+ "integrity": "sha512-7i24Ri4pmDRfJTR7LDBhsOTtcm+9kjX5WiY1X3wIisx6G9So3pfMkEiU7emUBe46oceVImccTEM3k6C5dbVW8A==",
"dependencies": {
"follow-redirects": "^1.15.0",
"form-data": "^4.0.0",
@@ -23215,9 +23215,9 @@
}
},
"axios": {
- "version": "1.6.1",
- "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.1.tgz",
- "integrity": "sha512-vfBmhDpKafglh0EldBEbVuoe7DyAavGSLWhuSm5ZSEKQnHhBf0xAAwybbNH1IkrJNGnS/VG4I5yxig1pCEXE4g==",
+ "version": "1.6.2",
+ "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.2.tgz",
+ "integrity": "sha512-7i24Ri4pmDRfJTR7LDBhsOTtcm+9kjX5WiY1X3wIisx6G9So3pfMkEiU7emUBe46oceVImccTEM3k6C5dbVW8A==",
"requires": {
"follow-redirects": "^1.15.0",
"form-data": "^4.0.0",
diff --git a/package.json b/package.json
index 441f7ed4b9afc568cc039134245b6e268accf826..7e69cc5d87ce06c0b1ce5d273fe934e8d1de4777 100644
--- a/package.json
+++ b/package.json
@@ -20,7 +20,7 @@
"@sentry/integrations": "^7.16.0",
"@sentry/vue": "^7.16.0",
"ansi-to-html": "^0.7.2",
- "axios": "^1.4.0",
+ "axios": "^1.6.2",
"bulma": "^0.9.3",
"bulma-switch": "^2.0.0",
"bulma-tooltip": "^3.0.2",
diff --git a/src/config.ts b/src/config.ts
index a4c144a3ce5709322a8798c8486c275ad6474a56..33c10175f8b073abef0cb0e3258fa4dd223447bd 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -34,6 +34,7 @@ export const CSRF_COOKIE_NAME: string = process.env.VUE_APP_CSRF_COOKIE_NAME ||
// Fallback to default value
) || 'arkindex.csrf'
export const CSRF_COOKIE_HEADER = 'X-CSRFToken'
+export const CSRF_ALL_ORIGINS = process.env.VUE_APP_CSRF_ALL_ORIGINS === 'true'
export const VERSION: string | undefined = process.env.VUE_APP_VERSION
export const ROUTER_MODE: string = process.env.VUE_APP_ROUTER_MODE || 'history'
diff --git a/src/main.ts b/src/main.ts
index 9318403bb97db90e020f037de888613f82728127..7b5031419c53ad5c89db472105f198e569322307 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -7,6 +7,7 @@ import {
API_BASE_URL,
CSRF_COOKIE_NAME,
CSRF_COOKIE_HEADER,
+ CSRF_ALL_ORIGINS,
SENTRY_DSN,
SENTRY_ENVIRONMENT,
UUID,
@@ -35,6 +36,13 @@ axios.defaults.baseURL = API_BASE_URL
axios.defaults.xsrfCookieName = CSRF_COOKIE_NAME
axios.defaults.xsrfHeaderName = CSRF_COOKIE_HEADER
axios.defaults.withCredentials = true
+/*
+ * `false` means no CSRF token is ever sent in any request,
+ * `undefined` means the CSRF token is only sent to the same origin (default),
+ * `true` means the token is sent to everyone.
+ * Dev builds will need `true`, since devs will need to reach localhost:8000 from :8080.
+ */
+axios.defaults.withXSRFToken = CSRF_ALL_ORIGINS ? true : undefined
// Try to ensure we do not get anything other than JSON…
axios.defaults.headers.Accept = 'application/json'