2

I've an app with Django as server and Angular in front end. I know both Django and Angular have in-build support for CSRF (Cross Site Request Forgery) protection.

So from these resources:

http://django-angular.readthedocs.org/en/latest/csrf-protection.html

Django csrf token + Angularjs

I could implement CSRF protection easily. But unfortunaltely that solutions not working for me.

More digging showed that, it won't work for Cross domains. Well, my Django and Angular will be in same domain after the build, I want to test the CSRF in my development environment.

So my question is, how can I use CSRF in cross-domain (in this scenario)? At least in my dev environment? (http://localhost/)

Thanks in advance.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Asim K T
  • 16,864
  • 10
  • 77
  • 99
  • From which server angular files are served? – MrNobody007 Feb 19 '16 at 11:32
  • Like I said, after the build the files will be in same domain. But now I am running it from my system itself.(localhost) – Asim K T Feb 19 '16 at 11:35
  • Im having similar setup to yours (without using django-angular though) and solution presented in second link you posted works just fine. Also i don't see how you could have CORS problem in your dev environment. Could you elaborate on issue you are having ? – 4rlekin Feb 19 '16 at 11:36
  • @AsimKT I'm asking whether you are using ngnix or any other static server. – MrNobody007 Feb 19 '16 at 11:39
  • When I am serving my files in localhost there will be CORS issue, because the server is residing in another domain. We have enabled the CORS in server so that I can access the apis from anywhere. You had server and client in different domains? @4rlekin – Asim K T Feb 19 '16 at 11:40
  • @Pruthvi No it's apache. Sorry I didn't understood you first time. – Asim K T Feb 19 '16 at 11:41
  • @AsimKT well, you didn't (still) specify your setup. Im using django runserver for my development, and runserver also serves static's and all, so i don't see how there possily be CORS issue, unless you are developing in some other, more comlicated, setup – 4rlekin Feb 19 '16 at 11:42
  • On which port you are running apache and your api? – MrNobody007 Feb 19 '16 at 11:43
  • @4rlekin Oh, Actually Django is acting like an api provider only. and Angular is independent. (static/ in django have nothing). But I think that won't have any issues related to this question. Problem is, I can access the APIs and all, but angular not sending the csrf token if it's in localhost. – Asim K T Feb 19 '16 at 11:48
  • @prithvi no port. Eg: login api is in https://example.com/login/. And we are mapping the IP to the build folder (dist/) so that angular app will load when the address is hit. – Asim K T Feb 19 '16 at 11:49

1 Answers1

0

I think you could simulate domain name by modifying /etc/hosts file , please refer to the below link for more information, it will surely solve your problem

https://docs.acquia.com/article/using-etchosts-file-custom-domains-during-development

Deep Singh Baweja
  • 378
  • 4
  • 14