How to Enable CSRF Protection for every origin in phoenix with independent client

Configuration:

  • I have a react app making requests to phoenix server
  • Phoenix sets sessions in the form of cookies
  • CSRF protection is enabled at server that requires session to be fetched
  • For browser to set cookie (session) as required by CSRF protection, i need to add credentials: include in react request config

Problem:
This works fine when my origin is not set to “".
But,on using "
” origin it throws error:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'

I know we can’t specify “*” as ‘Access-Control-Allow-Origin’ header in a credentialed request. But, How do i make it work then? And how come no one else is not facing this issue?

Not a problem, that is by design of the spec, which is more english-readable at https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS if curious. :slight_smile:

You just have to specify the allowed origins is all. If it is dynamic then make a custom plug to setup the header as necessary. This is all parts of web standard stuff, thus the general thing is ‘How would a <generic> server handle this?’. :slight_smile: