[bug] Change default request header onto custom

Question

[bug] Change default request header onto custom

kubitre opened this issue 4 years ago · comments

Describe the bug
While sending request from my frontend i found that frontend http client setting up cookie into headers. I also found custom option for request header. But that does not work.

…

Versions

Go version: go version go1.15.4 linux/amd64
package version: 3cab164ede93be0d8021150e336fc8eb9b2d1ccd

…

Steps to Reproduce

How can the bug be triggered?
Use fetch api client. Setting up csrf with custom requestheader name

Expected behavior

What output or behaviour were you expecting instead?
I want the non-standard request header to be read from headers and not from cookies
…

Scrennshots:

Matt Silverlock · Answer 1 · Thu Nov 19 2020 07:28:47 GMT+0800 (China Standard Time)

The validation code path does check the header first: https://github.com/gorilla/csrf/blob/9565ae2856dc7afa0ec76b0eaf6898f7f59c504b/helpers.go#L108 Protect’s ServeHTTP implementation gets the requestToken from the cs.requestToken method here: https://github.com/gorilla/csrf/blob/9565ae2856dc7afa0ec76b0eaf6898f7f59c504b/csrf.go#L286

Anosov Konstantin · Answer 2 · Thu Nov 19 2020 15:29:49 GMT+0800 (China Standard Time)

ok, thanks

stale · Answer 3 · Sun Jan 24 2021 01:58:44 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.