Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixing xsrf header on missing xsrfCookieName #406

Merged
merged 2 commits into from
Aug 13, 2016
Merged

Fixing xsrf header on missing xsrfCookieName #406

merged 2 commits into from
Aug 13, 2016

Conversation

pracucci
Copy link

@pracucci pracucci commented Aug 8, 2016

This change introduce a way to disable cookies reading and fix #395.

@coveralls
Copy link

Coverage Status

Coverage remained the same at 92.876% when pulling 85b9015 on pracucci:master into 8abe0d4 on mzabriskie:master.

@@ -28,6 +28,19 @@ describe('xsrf', function () {
});
});

it('should not set xsrf header if xsrfCookieName is null', function (done) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe you should include a test to check that document.cookie isn't read if xsrfCookieName is null, as it's the main motivation of this PR. We can only do that using ES5 getters and we haven't used them in any test (nor the production code). It will work in the test runners but we claim to support IE8+ for the production code, so I'm not entirely sure it's a good idea. What do you think @mzabriskie @nickuraltsev ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can make an assumption that the adapter doesn't access document.cookie directly, but rather uses the cookies helper. It's seems to be much easier to spy on a function than on a property with Jasmine.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. @pracucci, can you add that test?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. What's about this?

@coveralls
Copy link

Coverage Status

Coverage remained the same at 92.876% when pulling e861a6c on pracucci:master into 8abe0d4 on mzabriskie:master.

@nickuraltsev nickuraltsev merged commit 6132d96 into axios:master Aug 13, 2016
@axios axios locked and limited conversation to collaborators May 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Fails on same origin request running inside a sandboxed iframe
4 participants