Comments (9)
cookie libs should escape but yeah there's no reason for us to use a semicolon there
from csrf.
the csrf token itself is never sent through cookies. the csrf secret this.session.secret
is (though if you use a db store then it won't). that spec is outdated and not a real spec (afaik). the way it works should be fine.
from csrf.
@visionmedia, yes the libs 'should' escape this. But in koa it doesn't do this by default:
https://github.com/jed/cookies/blob/master/lib/cookies.js#L50
https://github.com/jed/cookies/blob/master/lib/cookies.js#L84
right? ;)
@jonathanong , yes your sample doesn't use cookies. but this should be an option. For example Angular.js use this by default:
And here is the real specification:
http://www.w3.org/Protocols/rfc2109/rfc2109 / Set-Cookie Syntax
from csrf.
you can open a PR in jed/cookies
you can't use this library for angular since this library doesn't send a csrf token as a cookie. you could just create another library specifically for angular.
from csrf.
or we could just use something else instead of a semicolon so you could. suggestion?
from csrf.
I think most of the current code will work, also with angular or whatever. One can set the cookie by self like:
this.cookies.set('csrf-token', this.csrf, { expires: expire, httpOnly: false });
So, the only thing is the semicolon. Escaping the semicolon should also work, but this is not optimal.
This one:
http://www.senchalabs.org/connect/csrf.html
doesn't use a semicolon.
from csrf.
hmmm we've been setting JSON sessions with commas and probably whitespace. wonder how that has been working
from csrf.
from csrf.
Thanks, tested ;)
from csrf.
Related Issues (20)
- option to disable ?_csrf= support HOT 1
- tests randomly fail HOT 2
- why change tokens on every request HOT 1
- Upgrading to Koa2.0 HOT 5
- Why assertCsrf method given a body value? HOT 1
- why deprecate csrf@2 HOT 8
- Importing koa-csrf in node 6 HOT 1
- csrf(app) csrf is not a function
- Add option for verifying csrf token in certain types request only HOT 3
- I always get "Invalid CSRF token" following the example HOT 1
- CSRF is not a constructor HOT 2
- How do I get the CSRF token from the request body? HOT 7
- Use with koa-router HOT 1
- Seems like `context.csrf` is being set without me doing anything HOT 6
- Question: omitted options do not set defaults in this.tokens HOT 1
- Can i disable CSRF check for some routes? HOT 6
- Enable csrf per route example HOT 1
- Use of koa-session instead koa-generic-session HOT 2
- Add csrf token in ctx.state HOT 4
- Exclude route HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csrf.