Clarification on removing GET /api/csrf

Question

Clarification on removing GET /api/csrf

Closed this issue 10 years ago · 9 comments

I'm a little confused by the current state of this add-on package due to 256842c. What was the rationale for the removal of the API call to fetch the CSRF token?

Furthermore, the docs mention that you must include a static CSRF token. Why is this? Seems like this would defeat the purpose of server generated CSRF tokens if you're able to pass arbitrary values to the server.

Thanks!

Answer 1 · 2015-03-09T20:48:40.000Z

Just replied to you via email, if someone else wants to know the reason behind this please send me an email to builes.adolfo@gmail.com

Answer 2 · 2015-03-19T11:00:32.000Z

Hey @abuiles can you elaborate on this publicly please?

Answer 3 · 2015-03-19T19:09:38.000Z

@3v0k4 please send me an email

Answer 4 · 2015-03-24T17:19:08.000Z

Hey @abuilies, sent you an email as well. awaiting your response.

Answer 5 · 2015-04-07T04:17:28.000Z

Send you an email too

Answer 6 · 2015-04-07T21:50:54.000Z

@krzkrzkrz FYI - I have not received a response from @abuiles yet.

Answer 7 · 2015-05-29T11:13:04.000Z

I think it would make more sense to post some details here instead of asking ppl to send you a email to get details...

Answer 8 · 2015-06-08T18:13:35.000Z

@jayswain It's not my line to give out the reason. The author did communicate it out to me though. It's not for me to say. I think it would be best to leave it to the author to decide if or how he should communicate the details. You can also try reaching him on irc/freenode server, #ember-cli channel.

Don't get me wrong. I do agree, some public details would be convenient for others.

Answer 9 · 2015-06-08T18:30:03.000Z

I'm not longer maintaining this library, if someone wants to take over feel free to ping me 24fc8d2