-
Notifications
You must be signed in to change notification settings - Fork 630
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Let CSRF Token Be Available #2523
Comments
Also, as a follow up question, is there a better way to force the session other than putting the |
Yes, by default. It's reduces attack surface and most installs don't need access to it from JS. If you have an explicit need where you need to, you can override component behavior in
You can use `{{ craft.app.session.open() }} |
Thank you @angrybrad |
I am not sure if this is an issue or just a lack of understanding on my part, but the CRAFT_CSRF_TOKEN cookie is set as httpOnly on this line:
cms/src/Craft.php
Line 103 in d8e0232
after being called from here:
cms/src/config/app.web.php
Line 42 in ad74028
Should this cookie be hidden from JavaScript? If it isn't available to JavaScript, why is it there?
The text was updated successfully, but these errors were encountered: