Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF Protection Error when loading script #5

Closed
aturkewi opened this issue Sep 25, 2018 · 5 comments
Closed

CSRF Protection Error when loading script #5

aturkewi opened this issue Sep 25, 2018 · 5 comments

Comments

@aturkewi
Copy link
Contributor

I'm now seeing a CSRF error when the details page tries to load the details.js script:

** (Plug.CSRFProtection.InvalidCrossOriginRequestError) security warning: an embedded <script> tag on another site requested protected JavaScript (if you know what you're doing, disable forgery protection for this route)

When this JS file does not load, there are no longer any confirmation boxes showing up.

I think we need to either ignore CSRF Protection on this route or add the token when loading up the script.

I introduced this error with PR #4 and I'll look at putting in a fix as soon as I can.

@tompave
Copy link
Owner

tompave commented Sep 25, 2018

Hi, thank you for flagging and for volunteering a fix!

@tompave
Copy link
Owner

tompave commented Oct 21, 2018

This should be fixed now.

@tompave tompave closed this as completed Oct 21, 2018
@garthk
Copy link

garthk commented Aug 3, 2020

@tompave we're seeing this now:

** (Plug.CSRFProtection.InvalidCrossOriginRequestError) security warning: an embedded <script> tag on another site requested protected JavaScript (if you know what you're doing, disable forgery protection for this route)
    (plug 1.10.3) lib/plug/csrf_protection.ex:388: Plug.CSRFProtection.ensure_same_origin_and_csrf_token!/3
# mix.exs
      {:fun_with_flags, "~> 1.5.1"},
      {:fun_with_flags_ui, "~> 0.7.2"},
      {:phoenix, "~> 1.5.4", override: true},
      {:phoenix_ecto, "~> 4.1.0"},
      {:phoenix_html, "~> 2.14.2"},
      {:phoenix_live_dashboard, "~> 0.2.7"},
      {:phoenix_live_reload, "~> 1.2.4", only: :dev},
      {:phoenix_live_view, "~> 0.14.3"},
      {:plug_cowboy, "~> 2.3.0"},
# mix.lock
  "plug": {:hex, :plug, "1.10.3",  :...},
# router.ex
  scope path: "/feature-flags" do
    pipe_through [:browser, :ensure_admin]
    forward "/", FunWithFlags.UI.Router, namespace: "feature-flags"
  end

@tompave
Copy link
Owner

tompave commented Aug 4, 2020

Hi @garthk, thanks for opening the issue, but that description doesn't provide enough info. Also, this issue is quite old, it's closed, and the original problem was resolved.

Can you please open a new issue and clearly describe what the problem is? What request is causing the error? Is it a page load request? An asset request? Was it working before and then it stopped? What changed?

Thanks

@aturkewi
Copy link
Contributor Author

aturkewi commented Aug 10, 2020

@garthk I'm going to take a guess at this one. It looks like you're piping through :browser and I'm not sure how you have that setup. If you take a look at the readme, it recommends piping through a custom :mounted_apps pipeline instead. I think the default :browser does too much (including :protect_from_forgery which is now baked into this package).
Does that help at all?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants