6

Do I have to set anything to send X-XSRF-TOKEN header if I set a XSRF-TOKEN cookie server side?

https://github.com/axios/axios/blob/master/lib/defaults.js#L74 https://github.com/axios/axios/blob/master/dist/axios.js#L1072

It reads like I don't, but I'm not seeing one go out.

I'll add that I have set withCredentials to true, so I do meet the first check in the OR:

var xsrfValue = (config.withCredentials || isURLSameOrigin(config.url)) && config.xsrfCookieName ?
            cookies.read(config.xsrfCookieName) :
            undefined;

          if (xsrfValue) {
            requestHeaders[config.xsrfHeaderName] = xsrfValue;
}

so if config.xsrfCookieName is a default.....

Update:

So, my OPTIONS preflight CORS is working, as is the POST now, but no X-XSRF-TOKEN being sent.

  methods: {
    onSubmit(e) {
      this.axios
        .post(
          e.target.action,
          { data: this.form },
          {
            withCredentials: true,
            xsrfCookieName: "XSRF-TOKEN",
            xsrfHeaderName: "X-XSRF-TOKEN"
          }
        )
        .then(res => {
          console.log(res)
        })
        .catch(err => {
          this.errors.push(err)
        })
    }
  }

Thanks.

Gavin Henry
  • 182
  • 1
  • 1
  • 16

1 Answers1

4

I had the same issue and was about the "secure" flag on the cookie as can be seen on the cookies tab of the request, but is not showing on the cookies under "application" tab:

XSRF-TOKEN secure

In my case, I had to ask the backend to set it down. This happens because, as secure, you cannot access to it via javascript.

document.cookie // is empty
Charly.Org
  • 1,084
  • 10
  • 9
  • 7
    "Secure" cookies *can* be read by javascript, it's Http-only ones that cannot. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Secure "Cookies with this attribute can still be read/modified with access to the client's hard disk, or from JavaScript if the HttpOnly cookie attribute is not set." – npretto Jul 16 '21 at 06:40