I've done a little bit of research on that after getting bitten by it too. My understanding is that:
* CSRF basically protects against replay attacks. You need it if your users can alter the state of your application in a bad way. It's always a tradeoff, of course, but if you choose not to use it I would urge you to carefully read at least the wikipedia page on the subject so you can make an informed decision. (In my case I decided that, given the nature of the project, this was not worth worrying about *for now* and so shut it off.) * While it's relatively easy to do with hidden fields in forms, AJAX is more difficult. Apparently the best practice is to put the token inside the headers of the server responses. It might still be necessary to put one on the page somewhere (data-* field, maybe) if the first AJAX call is not a GET request. On Monday, 15 December 2014, Cesare <[email protected]> wrote: > Yes. I was wondering what is the easiest way to make it work with a single > page cljs/reagent app. > > I was looking at: > > > http://www.luminusweb.net/docs/security.md#cross_site_request_forgery_protection > > and the token is added via template ({% csrf-token %}). > > Anyway, disabling it is enough for the moment :-) > > Il giorno lunedì 15 dicembre 2014 10:00:29 UTC+1, Daniel Kersten ha > scritto: > > I guess you would have to manually add the token as a parameter to your > ajax call. > > > > > > On Mon, 15 Dec 2014 08:50 Cesare <[email protected] <javascript:;>> > wrote: > > Thank you so much Nico! > > > > I updated my handler.clj with the mk-defaults stuff and it works! > > > > > > > > Anyway, is it possible to perform the anti-forgery check with clj-ajax? > > > > > > > > Thanks again! > > > > > > > > Il giorno sabato 13 dicembre 2014 21:22:04 UTC+1, Nicolás Berger ha > scritto: > > > > > Cesare, > > > > > > > > > > > > > > > lib-noir uses site-defaults from ring-defaults. site-defaults enables > anti-forgery by default: > https://github.com/ring-clojure/ring-defaults/blob/master/src/ring/middleware/defaults.clj#L45 > > > > > > > > > > > > > > > Until 0.9.1, lib-noir was assoc'ing {:anti-forgery false}. That's not > true anymore: > https://github.com/noir-clojure/lib-noir/commit/83203b12ab1421a8493301e492df6dd2ff0dabad > > > > > > > > > > > > > > > > > > > > luminus-template was updated to handle that change, doing the > {:anti-forgery false} assoc by default. You can create a new luminus > project, or take a look to the template to see how it's doing it: > https://github.com/yogthos/luminus-template/blob/master/src/leiningen/new/luminus/handler.clj#L57-L69 > > > > > > > > > > > > > > > Hope it helps! > > > > > > > > > > > > > > > Nico > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, Dec 12, 2014 at 8:58 AM, Cesare <[email protected] > <javascript:;>> wrote:Hi All, > > > > > > > > > > I'm not sure this is the right place to ask... anyway: I have a > Luminus project with cljs template (Clojurescript + Reagent). > > > > > > > > > > > > > > > > > > > > After upgrading lib-noir (now at 0.9.5), it seems that the > anti-forgery check is now enabled by default. > > > > > > > > > > > > > > > > > > > > How can I manage it from ClojureScript, in particular in ajax calls? > > > > > > > > > > > > > > > > > > > > At the moment I get the error "Invalid anti-forgery token" for POST > calls. > > > > > > > > > > > > > > > > > > > > Thanks a lot > > > > > > > > > > Bye > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Note that posts from new members are moderated - please be patient > with your first post. > > > > > > > > > > --- > > > > > > > > > > You received this message because you are subscribed to the Google > Groups "ClojureScript" group. > > > > > > > > > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:;>. > > > > > > > > > > To post to this group, send email to [email protected] > <javascript:;>. > > > > > > > > > > Visit this group at http://groups.google.com/group/clojurescript. > > > > > > > > -- > > > > Note that posts from new members are moderated - please be patient with > your first post. > > > > --- > > > > You received this message because you are subscribed to the Google > Groups "ClojureScript" group. > > > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:;>. > > > > To post to this group, send email to [email protected] > <javascript:;>. > > > > Visit this group at http://groups.google.com/group/clojurescript. > > -- > Note that posts from new members are moderated - please be patient with > your first post. > --- > You received this message because you are subscribed to the Google Groups > "ClojureScript" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:;>. > To post to this group, send email to [email protected] > <javascript:;>. > Visit this group at http://groups.google.com/group/clojurescript. > -- Note that posts from new members are moderated - please be patient with your first post. --- You received this message because you are subscribed to the Google Groups "ClojureScript" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/clojurescript.
