Allow CSRF to a different hostname in dev and Surge builds (!1596) · Merge requests · Arkindex / Frontend

The vulnerability saga that started in !1590 (merged) continues: turns out some Axios devs want the CVE revoked, and the vulnerability got re-introduced in 1.6.2 as a new withXSRFToken boolean. With both withCredentials: true and withXSRFToken: true, the X-CSRFToken: header is sent to anyone. And the GitHub issues are an enormous mess and I hope the core devs have access to therapy.

We do need this for local dev, since we are sending requests to localhost:8000 from localhost:8080, which are considered different origins, so I bumped Axios to 1.6.2 and added support for that option as a new build variable.

They are discussing a future behavior that makes more sense, setting a list of domains that you trust to send the token to, and nobody else. In the meantime we can just allow devs to hack themselves.

Edited Nov 17, 2023 by Erwan Rouchet

Allow CSRF to a different hostname in dev and Surge builds

Merge request reports