# |
Aug 22nd 2019, 10:10 |
neon1024 |
I’m using Vue.js to build a component which manages the whole template |
# |
Aug 22nd 2019, 10:10 |
ndm |
what does "rendering javascript" mean |
# |
Aug 22nd 2019, 10:10 |
neon1024 |
I think I’ll just turn off CSRF for this prefix |
# |
Aug 22nd 2019, 10:09 |
neon1024 |
Seems to work on other pages |
# |
Aug 22nd 2019, 10:09 |
neon1024 |
Adding the token to the layout doesn’t work when I’m redering my javascript |
# |
Aug 22nd 2019, 10:09 |
challgren |
Ahh ok |
# |
Aug 22nd 2019, 10:09 |
ndm |
@challgren Oh wait, I think I misunderstood you... the cookie would be there. Still I think passing the value to JS is cleaner, no need to parse the cookie string, and to make the cookie insecure |
# |
Aug 22nd 2019, 10:09 |
hippo |
``` $this->enableCsrfToken(); $this->enableSecurityToken(); ``` |
# |
Aug 22nd 2019, 10:08 |
challgren |
Is there anyway to explicitly turn it on? |
# |
Aug 22nd 2019, 10:08 |
hippo |
Yes |
# |
Aug 22nd 2019, 10:08 |
challgren |
Ok so heres a question when doing Integration Testing isn’t the CSRF token check disabled? |
# |
Aug 22nd 2019, 10:03 |
ndm |
You could if it's not HTTP only, but on the first request there will be no cookie |
# |
Aug 22nd 2019, 10:02 |
challgren |
in JS cant you get the cookie? |
# |
Aug 22nd 2019, 10:02 |
ndm |
totally fine :slightly_smiling_face: |
# |
Aug 22nd 2019, 10:02 |
neon1024 |
Feels a bit hacky |
# |
Aug 22nd 2019, 10:01 |
ndm |
in your layout |
# |
Aug 22nd 2019, 10:01 |
ndm |
@neon1024 Assign it to a global variable |
# |
Aug 22nd 2019, 10:01 |
ndm |
@challgren The security token, for the security component |
# |
Aug 22nd 2019, 10:01 |
neon1024 |
Not in Javascript I can’t |
# |
Aug 22nd 2019, 10:01 |
ndm |
You can get the token in your view from the request object `$this->getRequest->getParam('_csrfToken')` |
# |
Aug 22nd 2019, 10:01 |
challgren |
What am I thinking of that needs updated when the form changes? |
# |
Aug 22nd 2019, 10:01 |
neon1024 |
Hm okay, thanks for the help @ndm I’ll look into this |
# |
Aug 22nd 2019, 10:00 |
ndm |
It needs to send alongside your ajax request, and the the token needs to be in the data too, either as header (`X-CSRF-Token`) or as a field (`_csrfToken`) |
# |
Aug 22nd 2019, 10:00 |
neon1024 |
So httpOnly blocks js |
# |
Aug 22nd 2019, 09:59 |
neon1024 |
So I need this cookie? |
# |
Aug 22nd 2019, 09:59 |
ndm |
@neon1024 @challgren No, it doesn't, the form helper just conveniently injects the token, but it doesn't generate it, that happens in the middleware, and it's not realted to any content |
# |
Aug 22nd 2019, 09:58 |
challgren |
Has pretty much everything but the kitchen sink |
# |
Aug 22nd 2019, 09:58 |
challgren |
Yeah I might switch to it! |
# |
Aug 22nd 2019, 09:58 |
alexdd55976 |
inspinia looks really nice. thanks |
# |
Aug 22nd 2019, 09:57 |
yamcomnet |
Confusing.. I will still get Orders that are authenticated = 0 as results?? Not really sure how this orWhere really should work? |
# |
Aug 22nd 2019, 09:56 |
challgren |
So wouldnt the CSRF token change if you add or remove a field? |
# |
Aug 22nd 2019, 09:56 |
neon1024 |
:S |
# |
Aug 22nd 2019, 09:56 |
challgren |
`The CsrfProtectionMiddleware integrates seamlessly with FormHelper. Each time you create a form with FormHelper, it will insert a hidden field containing the CSRF token.` |
# |
Aug 22nd 2019, 09:56 |
ndm |
from the security component |
# |
Aug 22nd 2019, 09:56 |
ndm |
That's the security token |
# |
Aug 22nd 2019, 09:56 |
challgren |
Yeah |
# |
Aug 22nd 2019, 09:55 |
neon1024 |
@ndm Oh really? I thought it was a hash of the form fields? |
# |
Aug 22nd 2019, 09:55 |
neon1024 |
Although if this was true, I could easily get the cookie in JS |
# |
Aug 22nd 2019, 09:55 |
ndm |
CSRF protection doesn't care about your form content. |
# |
Aug 22nd 2019, 09:55 |
neon1024 |
> The CSRF Token can be obtained via the Cookie csrfToken. |
# |
Aug 22nd 2019, 09:55 |
neon1024 |
Disabling it seems like the way to go |