Commit 5401550
committed
Replace configurable CSRF with automatic pipeline separation
This commit replaces the disable_csrf configuration option with an
automatic pipeline separation approach that resolves CSRF conflicts
with Phoenix applications while maintaining security.
Changes:
- Remove disable_csrf option and related conditional logic
- Implement automatic request routing by path:
* /assets/* → Asset pipeline (no CSRF protection)
* All other routes → Form pipeline (full CSRF protection)
- Maintain CSRF tokens in HTML pages for JavaScript AJAX requests
- Update documentation to explain the automatic approach
Benefits:
- No configuration required - works automatically
- Fixes InvalidCrossOriginRequestError for JavaScript/CSS assets
- Maintains security for all form submissions and API calls
- Follows Phoenix pattern of separating assets from interactive routes
This resolves conflicts when embedding in Phoenix applications while
providing better security than fully disabling CSRF protection.1 parent d295ad6 commit 5401550
1 file changed
+34
-40
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
5 | 16 | | |
6 | 17 | | |
7 | 18 | | |
8 | 19 | | |
9 | | - | |
10 | | - | |
11 | 20 | | |
12 | 21 | | |
13 | 22 | | |
| |||
17 | 26 | | |
18 | 27 | | |
19 | 28 | | |
20 | | - | |
21 | | - | |
22 | | - | |
23 | 29 | | |
24 | 30 | | |
25 | 31 | | |
| |||
32 | 38 | | |
33 | 39 | | |
34 | 40 | | |
35 | | - | |
36 | | - | |
37 | | - | |
38 | | - | |
39 | | - | |
40 | | - | |
41 | | - | |
42 | | - | |
43 | | - | |
44 | | - | |
45 | | - | |
| 41 | + | |
46 | 42 | | |
47 | 43 | | |
48 | 44 | | |
49 | 45 | | |
50 | 46 | | |
51 | | - | |
52 | | - | |
53 | | - | |
54 | | - | |
| 47 | + | |
55 | 48 | | |
56 | 49 | | |
57 | 50 | | |
| |||
308 | 301 | | |
309 | 302 | | |
310 | 303 | | |
311 | | - | |
312 | | - | |
313 | | - | |
314 | | - | |
315 | | - | |
316 | | - | |
317 | | - | |
318 | | - | |
| 304 | + | |
| 305 | + | |
| 306 | + | |
| 307 | + | |
| 308 | + | |
| 309 | + | |
| 310 | + | |
319 | 311 | | |
320 | 312 | | |
321 | 313 | | |
322 | | - | |
323 | | - | |
324 | | - | |
325 | | - | |
326 | | - | |
327 | | - | |
| 314 | + | |
| 315 | + | |
| 316 | + | |
| 317 | + | |
| 318 | + | |
| 319 | + | |
| 320 | + | |
328 | 321 | | |
329 | 322 | | |
330 | 323 | | |
331 | | - | |
332 | | - | |
333 | | - | |
334 | | - | |
335 | | - | |
336 | | - | |
| 324 | + | |
| 325 | + | |
| 326 | + | |
| 327 | + | |
| 328 | + | |
| 329 | + | |
| 330 | + | |
337 | 331 | | |
338 | 332 | | |
339 | 333 | | |
| |||
0 commit comments