Pass CSRF token using Sec-WebSocket-Protocol header
#418
Comments
iarenaza
added a commit
to iarenaza/sente
that referenced
this issue
Apr 2, 2025
The proposed change tries to respect other values in the Sec-WebSocket-Protocol header, that the caller may have set in the `headers` option when calling `make-channel-socket-client!` [Re: taoensso#418]
iarenaza
added a commit
to iarenaza/sente
that referenced
this issue
Apr 2, 2025
The proposed change tries to respect other values in the Sec-WebSocket-Protocol header, that the caller may have set in the `headers` option when calling `make-channel-socket-client!` [Re: taoensso#418]
iarenaza
added a commit
to iarenaza/sente
that referenced
this issue
Apr 5, 2025
The proposed change tries to respect other values in the Sec-WebSocket-Protocol header, that the caller may have set in the `headers` option when calling `make-channel-socket-client!` [Re: taoensso#418]
ptaoussanis
pushed a commit
that referenced
this issue
Apr 7, 2025
…@iarenaza) Before this commit: WebSocket client conveys CSRF token to server via `:csrf-token` query param. After this commit: WebSocket client conveys CSRF token to server via `Sec-WebSocket-Protocol` header. Motivation: Moving the token from query param to a header helps reduce the likelihood of accidental leaking (e.g. via logging). While the `Sec-WebSocket-Protocol` header isn't specifically intended for conveying metadata like a CSRF token, the consensus seems to be that this is anyway a practical choice without major downsides or obviously better alternatives. As implemented the change tries to respect other values in the `Sec-WebSocket-Protocol` header that may have been set when calling `make-channel-socket-client!`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For more context: #137 (comment)
The text was updated successfully, but these errors were encountered: