CSRF with fetch API - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28) +--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30) +--- Thread: CSRF with fetch API (/showthread.php?tid=76908) |
CSRF with fetch API - Leo - 07-01-2020 Can someone help me with this? Code: fetch(SITE_CONSTANT+'/login/updateUser', { posting stuff with fetch api from javascript to a controller. It works when I turn off csrf, but does not when it's on. I tried to do like this: Code: let csrfs = document.querySelectorAll('input[name=csrf_token]'); Like how I do with Jquery ajax - but still no dice help? RE: CSRF with fetch API - MGatner - 07-07-2020 See this: https://github.com/codeigniter4/CodeIgniter4/issues/2454 Basically, CSRF behavior differs when it detects an AJAX call, but `fetch` calls are indistinguishable from regular HTTP requests. You can work around this by providing the headers with your `fetch` command: fetch(url, { method: "get", headers: { "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest" } RE: CSRF with fetch API - Leo - 07-07-2020 (07-07-2020, 10:26 AM)MGatner Wrote: See this: https://github.com/codeigniter4/CodeIgniter4/issues/2454 Thanks MGatner! But I've no problems at all with the "get" method, fetch works as is for get. It is the post I've had a stub on. Currently, my solution is putting everything in FormData() - and that somehow makes it all work. Code: let form = new FormData(); RE: CSRF with fetch API - MGatner - 07-07-2020 That was just some example code. Regardless of your method you should still try setting the header: headers: { "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest" } That will signify to CodeIgniter that this is an AKAX request and (hopefully) will get your CSRF working on the backend. RE: CSRF with fetch API - Leo - 07-08-2020 I tried adding it (to the code I posted earlier), but it broke everything. This is what I got in the logs: #0 C:\laragon\www\stostolov\vendor\codeigniter4\framework\system\Security\Security.php(233): CodeIgniter\Security\Exceptions\SecurityException::forDisallowedAction() #1 C:\laragon\www\stostolov\vendor\codeigniter4\framework\system\Filters\CSRF.php(85): CodeIgniter\Security\Security->CSRFVerify(Object(CodeIgniter\HTTP\IncomingRequest)) #2 C:\laragon\www\stostolov\vendor\codeigniter4\framework\system\Filters\Filters.php(173): CodeIgniter\Filters\CSRF->before(Object(CodeIgniter\HTTP\IncomingRequest), NULL) #3 C:\laragon\www\stostolov\vendor\codeigniter4\framework\system\CodeIgniter.php(378): CodeIgniter\Filters\Filters->run('front/fetchProd...', 'before') #4 C:\laragon\www\stostolov\vendor\codeigniter4\framework\system\CodeIgniter.php(308): CodeIgniter\CodeIgniter->handleRequest(NULL, Object(Config\Cache), false) #5 C:\laragon\www\stostolov\public\index.php(45): CodeIgniter\CodeIgniter->run() Also I tried to simply include the csrf value in the body (see below) - but it didn't work either. fetch(SITE_CONSTANT+'/whatever', { method: "post", body: csrf_val }).then(response => console.log(response)) RE: CSRF with fetch API - InsiteFX - 07-08-2020 This makes a lot of sense out of CSRF Protection. PHP RFC: Semi-Automatic CSRF Protection |