feat($http): support sending XSRF token to whitelisted origins #14890
Conversation
|
/fyi @IgorMinar |
| customParamSerializer: customParamSerializer | ||
| })); | ||
| beforeEach(module(function($exceptionHandlerProvider) { | ||
| $exceptionHandlerProvider.mode('log'); | ||
| })); |
There was a problem hiding this comment.
Just refactoring beforeEach blocks merging unnecessarily separate blocks.
gkalpak
force-pushed
the
feat-http-xsrf-origin-whitelist
branch
from
0455b09 to
00ef7e3
Compare
|
LGTM but needs a rebase |
gkalpak
force-pushed
the
feat-http-xsrf-origin-whitelist
branch
2 times, most recently
from
f5e4abc to
587610f
Compare
|
Rebased. PTAL |
src/.eslintrc.json
Outdated
| @@ -161,6 +161,7 @@ | |||
| "urlResolve": false, | |||
| "urlIsSameOrigin": false, | |||
| "urlIsSameOriginAsBaseUrl": false, | |||
| "urlIsAllowedOriginChecker": false, | |||
There was a problem hiding this comment.
I would prefer a different name here, like isUrlAllowedOrigin. This fits better with our other methods that "check" something.
There was a problem hiding this comment.
But this one is not like the other functions 😁
This one returns a function that checks (i.e. returns what one would call isUrlAllowedOrigin()).
So, I think naming it isUrlAllowedOrigin would be confusing. Open to other naming suggestions.
There was a problem hiding this comment.
How about urlIsAllowedOriginFactory()?
src/ng/http.js
Outdated
| * @name $httpProvider#xsrfWhitelistedOrigins | ||
| * @description | ||
| * | ||
| * Array containing URLs whose origins are considered trusted enough to receive the XSRF token. |
There was a problem hiding this comment.
Could be made simpler as "are trusted to receive the XSRF token"
src/ng/http.js
Outdated
| * properties of either $httpProvider.defaults at config-time, $http.defaults at run-time, | ||
| * or the per-request config object. | ||
| * The header will — by default — **not** be set for cross-domain requests. This | ||
| * prevents unauthorized servers (e.g. malicious or compromized 3rd-party APIs) from gaining |
gkalpak
force-pushed
the
feat-http-xsrf-origin-whitelist
branch
from
587610f to
bb17964
Compare
|
|
| * @name $httpProvider#xsrfWhitelistedOrigins | ||
| * @description | ||
| * | ||
| * Array containing URLs whose origins are trusted to receive the XSRF token. See the |
There was a problem hiding this comment.
Array containing "origins" that are trusted?
Or if you explicitly accept URLs (but ignore the path etc) then change the name to xsrfWhitelistedUrls.
There was a problem hiding this comment.
I do want to explicitly accept URLs (but ignore the path etc), but I think xsrfWhitelistedUrls will be misleading in that case. It would sound like you can whitelist specific URLs.
How about I change the description to "...containing origins that are trusted..." and keep the name as is (and also mention below that path etc will be ignored)?
There was a problem hiding this comment.
Changing the description works for me.
src/ng/http.js
Outdated
| * angular. | ||
| * module('xsrfWhitelistedOriginsExample', []). | ||
| * config(['$httpProvider', function($httpProvider) { | ||
| * $httpProvider.xsrfWhitelistedOrigins.push('https://api.example.com/'); |
There was a problem hiding this comment.
Note that the / at the end of the URL is part of the path and not the origin.
src/ng/urlUtils.js
Outdated
| * @returns {boolean} - Whether the specified URL is of an allowed origin. | ||
| */ | ||
| return function urlIsAllowedOrigin(requestUrl) { | ||
| var parsedUrl = isString(requestUrl) ? urlResolve(requestUrl) : requestUrl; |
There was a problem hiding this comment.
Not related to this PR but perhaps we should change urlResolve to be a noop if the url is already parsed (i.e. not a string)? This would save some of this boilerplate here and further down.
test/ng/httpSpec.js
Outdated
| var $httpBackend; | ||
|
|
||
| beforeEach(module(function($httpProvider) { | ||
| $httpProvider.xsrfWhitelistedOrigins.push('https://whitelisted.example.com/'); |
There was a problem hiding this comment.
Note that the trailing slash is ignored. Should we have tests for URLs with different paths - to demonstrate that they are ignored?
Normally, the XSRF token will not be set for cross-origin requests. With this commit, it is possible to whitelist additional origins, so that requests to these origins will include the XSRF token header. Fixes angular#7862
gkalpak
force-pushed
the
feat-http-xsrf-origin-whitelist
branch
from
bb17964 to
45bf5e9
Compare
|
@petebd, PTAL. |
Accidentally broken while backporting angular#14890.
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
Feature.
What is the current behavior? (You can also link to an open issue here)
The XSRF token header is not set on requests to cross-origin requests. This is usually desired, but there are cases where you want to whitelist specific origins.
See #7862 for context.
What is the new behavior (if this is a feature change)?
It is possible to whitelist specific origins, so requests to URLs on these origins will also have the XSRF token header set.
Does this PR introduce a breaking change?
No.
Please check if the PR fulfills these requirements
Other information:
Fixes #7862