-
Nick Stenning authored
When fetching a JWT from the server, the client needs to supply the session CSRF token in order to prevent third-party pages from being able to fetch and use tokens without the user's permission. Previously, it was necessary to supply this token in the "assertion" GET parameter -- in an attempt to make this look a bit like an OAuth token issuance API -- but in Pyramid 1.7 this isn't allowed, and it turns out not to be necessary, because Angular's CSRF support retrieves the token from an XSRF-TOKEN cookie set in earlier requests and sets the X-CSRF-Token request header automatically.
e0e23bde