-
Nick Stenning authoredWhen fetching a JWT from the server, the client needs to supply the session CSRF token in order to prevent third-party pages from being able to fetch and use tokens without the user's permission. Previously, it was necessary to supply this token in the "assertion" GET parameter -- in an attempt to make this look a bit like an OAuth token issuance API -- but in Pyramid 1.7 this isn't allowed, and it turns out not to be necessary, because Angular's CSRF support retrieves the token from an XSRF-TOKEN cookie set in earlier requests and sets the X-CSRF-Token request header automatically.
e0e23bde
| Name |
Last commit
|
Last update |
|---|---|---|
| .github | ||
| docs | ||
| h | ||
| images | ||
| scripts | ||
| .eslintignore | ||
| .eslintrc | ||
| .gitignore | ||
| .npmignore | ||
| .npmrc | ||
| .travis.yml | ||
| CHANGELOG.md | ||
| CODE_OF_CONDUCT | ||
| Jenkinsfile | ||
| LICENSE | ||
| Makefile | ||
| README.md | ||
| gulpfile.js | ||
| npm-shrinkwrap.json | ||
| package.json |