CSRF Protection Error when loading script

Question

CSRF Protection Error when loading script

aturkewi opened this issue 6 years ago · comments

I'm now seeing a CSRF error when the details page tries to load the details.js script:

** (Plug.CSRFProtection.InvalidCrossOriginRequestError) security warning: an embedded <script> tag on another site requested protected JavaScript (if you know what you're doing, disable forgery protection for this route)

When this JS file does not load, there are no longer any confirmation boxes showing up.

I think we need to either ignore CSRF Protection on this route or add the token when loading up the script.

I introduced this error with PR #4 and I'll look at putting in a fix as soon as I can.

Tommaso Pavese · Answer 1 · Wed Sep 26 2018 05:09:02 GMT+0800 (China Standard Time)

Hi, thank you for flagging and for volunteering a fix!

Tommaso Pavese · Answer 2 · Sun Oct 21 2018 09:08:33 GMT+0800 (China Standard Time)

This should be fixed now.

Garth Kidd · Answer 3 · Tue Aug 04 2020 07:54:33 GMT+0800 (China Standard Time)

@tompave we're seeing this now:

** (Plug.CSRFProtection.InvalidCrossOriginRequestError) security warning: an embedded <script> tag on another site requested protected JavaScript (if you know what you're doing, disable forgery protection for this route)
    (plug 1.10.3) lib/plug/csrf_protection.ex:388: Plug.CSRFProtection.ensure_same_origin_and_csrf_token!/3

# mix.exs
      {:fun_with_flags, "~> 1.5.1"},
      {:fun_with_flags_ui, "~> 0.7.2"},
      {:phoenix, "~> 1.5.4", override: true},
      {:phoenix_ecto, "~> 4.1.0"},
      {:phoenix_html, "~> 2.14.2"},
      {:phoenix_live_dashboard, "~> 0.2.7"},
      {:phoenix_live_reload, "~> 1.2.4", only: :dev},
      {:phoenix_live_view, "~> 0.14.3"},
      {:plug_cowboy, "~> 2.3.0"},
# mix.lock
  "plug": {:hex, :plug, "1.10.3",  :...},

# router.ex
  scope path: "/feature-flags" do
    pipe_through [:browser, :ensure_admin]
    forward "/", FunWithFlags.UI.Router, namespace: "feature-flags"
  end

Tommaso Pavese · Answer 4 · Tue Aug 04 2020 18:53:22 GMT+0800 (China Standard Time)

Hi @garthk, thanks for opening the issue, but that description doesn't provide enough info. Also, this issue is quite old, it's closed, and the original problem was resolved.

Can you please open a new issue and clearly describe what the problem is? What request is causing the error? Is it a page load request? An asset request? Was it working before and then it stopped? What changed?

Thanks

Avi Turkewitz · Answer 5 · Mon Aug 10 2020 22:41:41 GMT+0800 (China Standard Time)

@garthk I'm going to take a guess at this one. It looks like you're piping through :browser and I'm not sure how you have that setup. If you take a look at the readme, it recommends piping through a custom :mounted_apps pipeline instead. I think the default :browser does too much (including :protect_from_forgery which is now baked into this package).
Does that help at all?