Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Stimulus/Turbo] CSRF not working in frames #2583

Open
Hugo-Le-Goff opened this issue Feb 21, 2025 · 1 comment
Open

[Stimulus/Turbo] CSRF not working in frames #2583

Hugo-Le-Goff opened this issue Feb 21, 2025 · 1 comment
Labels
Bug Bug Fix Status: Needs Review Needs to be reviewed

Comments

@Hugo-Le-Goff
Copy link

Hugo-Le-Goff commented Feb 21, 2025
edited
Loading

Hello, I've been struggling for a while with CSRF and turbo frames. When a form is inside a frame, it starts at some point to throw invalid CSRF token errors.

First of all, I have the latest stimulus CSRF config of the recipe with :

# Enable stateless CSRF protection for forms and logins/logouts
framework:
    form:
        csrf_protection:
            token_id: submit

    csrf_protection:
        stateless_token_ids:
            - submit
            - authenticate
            - logout
        check_header: true # I added this one yesterday after finding about it somewhere

And the the latest version of csrf_protection_controller.js

After facing this problem a bunch of time, I realised that the problem happens when forms in a frames were on pages where there is no form. And it reminded me of another problem I faced, lazy stimulus controller not being initialized after a frame navigation on pages where the controller was not initially called. It make sense because only turbo visit update the lazy controllers loaded, but not a frame navigation.

So I looked into the csrf_protection_controller.js and found out that it was lazy loaded.

/* stimulusFetch: 'lazy' */
export default 'csrf-protection-controller';

After removing that lazy behavior line, everything started working fine. Beacause the csrf controller is available anywhere at anytime now I suppose.

Maybe my thought is wrong and I understand nothing about the CSRF with Turbo and Stimulus. I am bit overwhelmed by this topic since I started using Symfony UX, and I'm probably doing something wrong. But I wanted to share my finding here, maybe it's a real issue.

Also I wanted to ask about the necessity of check_header: true in the csrf config (can't remember where I found out about the need of this one, maybe it's useless). And to know about the LiveComponent and CORS system there are only few lines in the documentation about it, where are we supposed to configure it.

Thank you very much for all the awesome work on Symfony and Symfony UX, it's really a pleasure to work with it.
@Hugo-Le-Goff Hugo-Le-Goff added the Bug Bug Fix label Feb 21, 2025
@carsonbot carsonbot added the Status: Needs Review Needs to be reviewed label Feb 21, 2025
@smnandre smnandre mentioned this issue Feb 22, 2025
Merged
@smnandre
Copy link
Member

I could be linked to: #2590 .. could you check the PR please ?

smnandre added a commit that referenced this issue Feb 24, 2025
@smnandre
bug #2590 [StimulusBundle] Fix lazy load Stimulus controllers with Tu…
6d2daab 
…rbo (smnandre)

This PR was merged into the 2.x branch.

Discussion
----------

[StimulusBundle] Fix  lazy load Stimulus controllers with Turbo

| Q             | A
| ------------- | ---
| Bug fix?      | yes
| New feature?  | no <!-- please update src/**/CHANGELOG.md files -->
| Issues        | Fix #2576 / maybe #2583
| License       | MIT

Partial revert of some changes to fix issues with Turbo and lazyload Stimulus controllers

Commits
-------

111fd4c fix: lazy load Stimulus controllers with Turbo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Bug Fix Status: Needs Review Needs to be reviewed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@smnandre @carsonbot @Hugo-Le-Goff