Reputation: 848
Why XSRF token is not being sent on cross-origin?
This is a snippet from the file http.js in the Angularjs 1.6.4 on github:
var xsrfValue = urlIsSameOrigin(config.url)
? $$cookieReader()[config.xsrfCookieName || defaults.xsrfCookieName]
: undefined;
if (xsrfValue) {
reqHeaders[(config.xsrfHeaderName || defaults.xsrfHeaderName)] = xsrfValue;
}
Why is the XSRF token included only if the request is meant for the same origin? What if a Restful backend is on a different host than the frontend, shouldn't XSRF be used nevertheless?
Upvotes: 0
Views: 577
Answers (1)
Reputation: 15570
XSRF protection in this case works by comparing the token received in the config.xsrfHeaderName header to the token received as a cookie config.xsrfCookieName (see "double posting" protection against xsrf). The cookie will not be sent to other origins anyway, so there is no point in sending the header.
In this case the other origin presumably uses authentication that does not rely on something automatically added to requests by the browser (ie. cookies), but is probably token based as most APIs. In that case it's not vulnerable to xsrf.
Upvotes: 1
Related Questions
- How to setup XSRF protection in angular js?
- Cross Site Request Forgery (XSRF) Protection AngularJS
- CSRF protection in angular js application with cross domain
- angular4 httpclient csrf does not send x-xsrf-token
- Issue in adding Xsrf-Token in an Angular 6
- XSRF-TOKEN not being sent By Angular 2 as it says it will do by default
- AngularJS can't find XSRF-TOKEN cookie
- XSRF-TOKEN in Angular
- express csurf (csrf middleware) not working with XSRF in angularjs
- AngularJS Authentication and XSRF token based