CSRF Protection Error when loading script
aturkewi opened this issue · comments
I'm now seeing a CSRF error when the details page tries to load the details.js
script:
** (Plug.CSRFProtection.InvalidCrossOriginRequestError) security warning: an embedded <script> tag on another site requested protected JavaScript (if you know what you're doing, disable forgery protection for this route)
When this JS file does not load, there are no longer any confirmation boxes showing up.
I think we need to either ignore CSRF Protection on this route or add the token when loading up the script.
I introduced this error with PR #4 and I'll look at putting in a fix as soon as I can.
Hi, thank you for flagging and for volunteering a fix!
This should be fixed now.
@tompave we're seeing this now:
** (Plug.CSRFProtection.InvalidCrossOriginRequestError) security warning: an embedded <script> tag on another site requested protected JavaScript (if you know what you're doing, disable forgery protection for this route)
(plug 1.10.3) lib/plug/csrf_protection.ex:388: Plug.CSRFProtection.ensure_same_origin_and_csrf_token!/3
# mix.exs
{:fun_with_flags, "~> 1.5.1"},
{:fun_with_flags_ui, "~> 0.7.2"},
{:phoenix, "~> 1.5.4", override: true},
{:phoenix_ecto, "~> 4.1.0"},
{:phoenix_html, "~> 2.14.2"},
{:phoenix_live_dashboard, "~> 0.2.7"},
{:phoenix_live_reload, "~> 1.2.4", only: :dev},
{:phoenix_live_view, "~> 0.14.3"},
{:plug_cowboy, "~> 2.3.0"},
# mix.lock
"plug": {:hex, :plug, "1.10.3", :...},
# router.ex
scope path: "/feature-flags" do
pipe_through [:browser, :ensure_admin]
forward "/", FunWithFlags.UI.Router, namespace: "feature-flags"
end
Hi @garthk, thanks for opening the issue, but that description doesn't provide enough info. Also, this issue is quite old, it's closed, and the original problem was resolved.
Can you please open a new issue and clearly describe what the problem is? What request is causing the error? Is it a page load request? An asset request? Was it working before and then it stopped? What changed?
Thanks
@garthk I'm going to take a guess at this one. It looks like you're piping through :browser
and I'm not sure how you have that setup. If you take a look at the readme, it recommends piping through a custom :mounted_apps
pipeline instead. I think the default :browser
does too much (including :protect_from_forgery
which is now baked into this package).
Does that help at all?