I'm working on an AngularJS webapp with a Laravel backend.
I want to enable CSRF protection with cross-domain requests. Is it possible?
$http reference in "Cross Site Request Forgery" says "The header will not be set for cross-domain requests"
Looking the Developer Tools logs I see that after the $http.post call the preflight request is sent (OPTION verb) and it has the XSRF-TOKEN cookies set, but the POST request has no cookies so I can't do:
$http.defaults.headers.post['X-CSRFToken'] = $cookies['XSRF-TOKEN'];
Any idea?
UPDATE:
@zeroflagL: I tried with
$http.defaults.headers.common.xsrfCookieName = 'XSRF-TOKEN';
$http.defaults.headers.common.xsrfHeaderName = 'X-XSRF-TOKEN';
And now in the Request headers of the POST I have:
xsrfCookieName:XSRF-TOKEN
xsrfHeaderName:X-XSRF-TOKEN
But the CSRF check is not passed (TokenMismatchException on the server). I suppose that in the Request headers there should be the XSRF-TOKEN to work...
xsrfHeaderNameandxsrfCookieNameas said in the documentation? – a better oliverheaders.common.It's just$http.defaults.xsrf.... – a better oliver$http.defaults.headers.common.xsrf..., if I use your form nothing is set in the POST request headers. BTW this doesn't resolve the problem – Mathttp://myweb.com. The user is logged in. The user opens the sitehttp://evil.comin another tab. That evil site embeds an image tag having the URLhttp://myweb.com/transferMoney. Because the user is still logged in, the session id is sent and the request seems ok from the servers perspective. If the client runs on thehttp://anotherweb.comand makes a Cross-Site request tohttp://myweb.comthen XSRF isn't an issue because the request doesn't appear to come from your site anyway. – a better oliver