I'm working on an AngularJS webapp with a Laravel backend.
I want to enable CSRF protection with cross-domain requests. Is it possible?
$http reference in "Cross Site Request Forgery" says "The header will not be set for cross-domain requests"
Looking the Developer Tools logs I see that after the $http.post call the preflight request is sent (OPTION verb) and it has the XSRF-TOKEN cookies set, but the POST request has no cookies so I can't do:
$http.defaults.headers.post['X-CSRFToken'] = $cookies['XSRF-TOKEN'];
Any idea?
UPDATE:
@zeroflagL: I tried with
$http.defaults.headers.common.xsrfCookieName = 'XSRF-TOKEN';
$http.defaults.headers.common.xsrfHeaderName = 'X-XSRF-TOKEN';
And now in the Request headers of the POST I have:
xsrfCookieName:XSRF-TOKEN
xsrfHeaderName:X-XSRF-TOKEN
But the CSRF check is not passed (TokenMismatchException on the server). I suppose that in the Request headers there should be the XSRF-TOKEN to work...
As zeroflagL said CSRF protection can't be applied to cross domain requests.
To reply to my question: no, it's not possible.