CSRF filter and same-origin requests #14007
Unanswered
andrew-nowak
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi! I have a question about the interaction between the CORS and CSRF filters.
It's documented that "if you have a CORS filter before your CSRF filter, the CSRF filter will let through CORS requests from trusted origins". https://www.playframework.com/documentation/3.0.x/JavaCsrf#Trusting-CORS-requests
I believe this happens when the request is tagged as trusted by the CORS filter and that tag is then discovered by the CSRF filter. However, I can see that tag isn't applied for same-origin requests, as the logic branch in the CORS filter doesn't apply the tag, meaning that same-origin requests need to .
Why does the CSRF filter not let through same-origin requests, especially if it has been configured to allow through cross-origin requests from trusted origins? Is it something that could be added, even if behind a configuration option? (I'd be happy to contribute this if it was acceptable)
Beta Was this translation helpful? Give feedback.
All reactions