Enhancement: make safe methods configurable

Question

Enhancement: make safe methods configurable

fredbi opened this issue 6 years ago · 3 comments

If maintainers agree, I am willing to push a PR that would make safe methods configurable as Option.

Answer 1 · 2018-12-14T11:36:53.000Z

Can you describe the use-case / motivation here?

On Fri, Dec 14, 2018 at 1:27 AM fredbi ***@***.***> wrote: I maintainers agree, I am willing to push a PR that would make safe methods configurable as Option. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#106>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABIcD55zSzFCqRtMwQC1iQxao-tNCvXks5u40TjgaJpZM4ZS9d-> .

Answer 2 · 2018-12-14T12:12:01.000Z

The use case is general API calls (e.g. w/ AJAX client), so its not related to HTML forms.

I would like to embed this in some API proxy which is highly customizable and which can't guarantee that
upstream API state is not modified by GET methods.

In particular, if the very first hit is a POST, it gets complicated to have the CSRF token initialized.

Disabling CSRF with UnsafeSkipCheck is the way I intend to programmatically declare an endoint "safe", not making assumptions on how methods are actually used by upstream apps.

This add on would be pretty light and does not change existing behavior for package users.

Answer 3 · 2019-02-12T12:57:01.000Z

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.