Proszę o rozwianie pewnych wątpliwości związanych z tokenem XSRF w Laravelu - chociaż to zagadnienie zapewne dotyczy nie tylko tego framework'a. Rozumiem o co chodzi gdy do formularza dołączamy ukryty token csrf. Jednak zauważyłem, że cookie dołączane do każdego rządania do aplikacji laravelowej zawiera coś takiego:
"cookie": "XDEBUG_SESSION=XDEBUG_ECLIPSE; XSRF-TOKEN=eyJpdiI6Ijg0WHNCRG53K2VxamdsU04vUDR6NFE9PSIsInZhbHVlIjoiZG
No i poczytałem trochę na ten temat, goście na Stack Overflow opisują to tak :
x-xsrf-token:
- It is added to the request header for ajax requests.
- Popular libraries like angular and axios, automatically get value of this header from xsrf-token cookie and put it in every request header.
- To use it, we should create a cookie named xsrf-token in backend, then our front end framework that uses angular or axios will use it automatically.
https://stackoverflow.com/questions/42408177/what-is-the-difference-between-x-xsrf-token-and-x-csrf-token
An alternative approach (called the "Cookie-to-header token" pattern) is to set a Cookie once per session and the have JavaScript read that cookie and set a custom HTTP header (often called X-CSRF-TOKEN or X-XSRF-TOKEN or just XSRF-TOKEN) with that value. Any requests will send both the header (set by Javascript) and the cookie (set by the browser as a standard HTTP header) and then the server can check that value in the X-CSRF-TOKEN header matches the value in the cookie header. The idea being that only JavaScript run on the same domain would have access to the cookie, so JavaScript from another domain couldn't set this header to the right value (assuming the page is not vulnerable to XSS that would give access to this cookie). Even fake links (e.g. in a phishing email) would not work either, as even though they would appear to come from the right domain, only the cookie will be set but not X-CSRF-TOKEN header.
https://stackoverflow.com/questions/34782493/difference-between-csrf-and-x-csrf-token/34783845
Zwróćcie uwagę na przyciemniony tekst. Dochodzimy do sedna. Po co dodawać token xsrf do każdego rządania AJAX skoro istnieje coś takiego jak Same Origin Policy i przegądarka i tak blokuje rządania AJAX pochądzące z osobnych domen(przynajmniej domyślnie) ? Do czego to jest potrzebne?
Poza tym jak to w końcu jest? Skoro to ma służyć do AJAX'a to dlaczego gość pisze :
Even fake links (e.g. in a phishing email) would not work either, as even though they would appear to come from the right domain, only the cookie will be set but not X-CSRF-TOKEN header.
??