4

Do I have to set anything to send X-XSRF-TOKEN header if I set a XSRF-TOKEN cookie server side?

https://github.com/axios/axios/blob/master/lib/defaults.js#L74 https://github.com/axios/axios/blob/master/dist/axios.js#L1072

It reads like I don't, but I'm not seeing one go out.

I'll add that I have set withCredentials to true, so I do meet the first check in the OR:

var xsrfValue = (config.withCredentials || isURLSameOrigin(config.url)) && config.xsrfCookieName ?
            cookies.read(config.xsrfCookieName) :
            undefined;

          if (xsrfValue) {
            requestHeaders[config.xsrfHeaderName] = xsrfValue;
}

so if config.xsrfCookieName is a default.....

Update:

So, my OPTIONS preflight CORS is working, as is the POST now, but no X-XSRF-TOKEN being sent.

  methods: {
    onSubmit(e) {
      this.axios
        .post(
          e.target.action,
          { data: this.form },
          {
            withCredentials: true,
            xsrfCookieName: "XSRF-TOKEN",
            xsrfHeaderName: "X-XSRF-TOKEN"
          }
        )
        .then(res => {
          console.log(res)
        })
        .catch(err => {
          this.errors.push(err)
        })
    }
  }

Thanks.

4

1 回答 1

5

我有同样的问题,关于 cookie 上的“安全”标志,可以在请求的 cookie 选项卡上看到,但没有显示在“应用程序”选项卡下的 cookie 上:

XSRF-TOKEN 安全

就我而言,我不得不要求后端设置它。发生这种情况是因为,出于安全考虑,您无法通过 javascript 访问它。

document.cookie // is empty
于 2019-01-10T15:36:42.760 回答