Option to disable CSRF warning #139
Comments
|
Hey Daniel, As I mentioned in #137, first step would be describing a use case where you don't want to be using CSRF tokens. Wouldn't be against offering a flag to disable this if there's a good reason, but my concern is that folks will disable it just to suppress the warning - not understanding the severe security risk they'll be exposing users to. |
|
In our case we have a ClojureScript webapp hosted on one domain, and our Sente server on another domain. We aren't really wanting to use sessions (instead auth tokens: #135), but even if we were, I'm not sure how we would get the CSRF token to use in our connections. How would you accomplish this in a cross domain way? |
|
Any updates on this? Would you still like me to follow up, or can we close? |
|
I'll close this for now, and reopen it when I come to look at it again. I need to understand the security implications better myself first. |
It would be nice to be able to disable the CSRF warning at: https://github.com/ptaoussanis/sente/blob/v1.4.1/src/taoensso/sente.cljx#L760-L761
It would be possible to provide a custom
csrf-token-fnto return an empty string, although this might go against the spirit of its use, and there could be other ramifications I haven't thought about.The text was updated successfully, but these errors were encountered: