CRSF only works if you use SQLFORM. Do you? Then it depends on how to use
it. The workflow is the following
1) visit the page
{{=SQLFORM(....).process()}} generate the html for and injects some hidden
fields in it
2) you submit the form
{{=SQLFORM(....).process()}} check the hidden fields and accepts of rejects
the submission
If you use SQLFORM (even if via ajax) you must make both calls, retrieve
and display the hidden fields.
On Tuesday, 17 July 2012 03:21:59 UTC-5, murtaza52 wrote:
>
> Hi,
>
> We are creating our frontend using angular.js and the API layer is in
> web2py. The web2py documentation says -
>
> web2py prevents CSRF as well as accidental double submission of forms by
>> assigning a one-time random token to each form.
>
>
> So how will that work in the instance of a pure JS frontend ? Will I need
> to implement something on the client side to enable it ?
>
> The initial request will go to the web2py app, which will send back the
> index.html, which will contain the js script as an include. This will load
> the js interface during the initial request. After this all calls will be
> ajax calls to the server, to return back JSON.
>
> Also I will be using the web2py authentication/authorization for securing
> the API. So would I be breaking any web2py compatibly in this regard or
> with any other security concerns ?
>
> Thanks,
> Murtaza
>
>
--
