Allow CSRF to a different hostname in dev and Surge builds
The vulnerability saga that started in !1590 (merged) continues: turns out some Axios devs want the CVE revoked, and the vulnerability got re-introduced in 1.6.2 as a new withXSRFToken boolean. With both withCredentials: true and withXSRFToken: true, the X-CSRFToken: header is sent to anyone. And the GitHub issues are an enormous mess and I hope the core devs have access to therapy.
We do need this for local dev, since we are sending requests to localhost:8000 from localhost:8080, which are considered different origins, so I bumped Axios to 1.6.2 and added support for that option as a new build variable.
They are discussing a future behavior that makes more sense, setting a list of domains that you trust to send the token to, and nobody else. In the meantime we can just allow devs to hack themselves.
Merge request reports
Activity
changed milestone to %Arkindex 1.5.3
assigned to @erouchet
added 1 commit
- 857308ea - Allow CSRF to a different hostname in dev and Surge builds
requested review from @babadie
added 1 commit
- 45ac5db1 - Allow CSRF to a different hostname in dev and Surge builds
added 3 commits
-
45ac5db1...4a5ba3d6 - 2 commits from branch
master - 1f63b804 - Allow CSRF to a different hostname in dev and Surge builds
-
45ac5db1...4a5ba3d6 - 2 commits from branch
added 3 commits
-
1f63b804...32ec39d2 - 2 commits from branch
master - cb09da8b - Allow CSRF to a different hostname in dev and Surge builds
-
1f63b804...32ec39d2 - 2 commits from branch