Skip to content

Async csrf improvements #17054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
brianjhanson wants to merge 3 commits into
base: 5.x
Choose a base branch
from
Draft

Async csrf improvements #17054

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ba15f72
WIP
brianjhanson Apr 8, 2025
b9df236
Probably a better approach
brianjhanson Apr 9, 2025
61c2f73
Reset package-lock
brianjhanson Apr 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 34 additions & 14 deletions src/templates/_special/async-csrf-input.twig
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,39 @@
<script>
(function() {
fetch('{{ url }}', {
headers: {
'Accept': 'application/json',
function fetchCsrfData() {
return fetch('{{ url }}', {
headers: {
'Accept': 'application/json',
},
}).then((response) => response.json());
}
function createHiddenInput({name, value}) {
const input = document.createElement('input');
input.type = 'hidden';
input.name = name;
input.value = value;
return input;
}
function handleFocusIn(e) {
const asyncInput = e.currentTarget.querySelector('craft-csrf-input');
if (asyncInput) {
fetchCsrfData().then(({csrfTokenName, csrfTokenValue}) => {
const input = createHiddenInput({name: csrfTokenName, value: csrfTokenValue});
asyncInput.replaceWith(input);
});
Copy link
Contributor

@timkelty timkelty Apr 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we also need to defer/debounce submit events that come in between focusin and injecting the input.

Over a slow connection, you could interact with the form and submit before the CSRF has been injected, resulting in a CSRF error.

Copy link
Contributor

@leevigraham leevigraham May 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe firing a csrfloaded event that bubbles up to the form would allow js to disable / enable the form submission.

}
}).then(response => response.json())
.then(data => {
document.querySelectorAll('craft-csrf-input')
.forEach(element => {
const input = document.createElement('input');
input.type = 'hidden';
input.name = data.csrfTokenName;
input.value = data.csrfTokenValue;
element.replaceWith(input);
});
});
}
const asyncInputs = document.querySelectorAll('craft-csrf-input');
asyncInputs.forEach((el) => {
const form = el.closest('form');
if (!form) {
console.warning('craft-csrf-input should be within a form element.');
return;
}
form.addEventListener('focusin', handleFocusIn);
});
})();
</script>