forms hidden field CSRF token is not updated when turbolinks is enabled

Maurizio_De_Santis · June 20, 2017, 3:29pm

I’m unsure in which project to open a bug, so I want to ask first.

rails 5.1.1, turbolinks 5.0.1, turbolinks-source 5.0.3

Reproduction steps:

Visit a page with a form with authenticity token field inside Navigate with turbolinks links or click browser Back and Forward buttons Check the form with authenticity token field value

Expected:

Its value should be the same of head meta name=“csrf-token” value

Got:

Its value differs from head meta name=“csrf-token” value

Temporary fix:

Load this javascript (coffeescript syntax):

$(document).on ‘turbolinks:load’, → $(‘input[name=authenticity_token]’).val Rails.csrfToken()

Maurizio_De_Santis · June 20, 2017, 3:30pm

The question is: where should I open it as a bug?

Topic		Replies	Views
Form_with - first field value is overriden with a token-like string A May Of WTFs	10	2505	June 26, 2021
form_authenticity_token (csrf meta tags) interferes with proxy caching rubyonrails-core	0	216	May 5, 2014
Can't verify CSRF token authenticity rubyonrails-talk announcement	0	2369	March 26, 2023
Putting form_authenticity_token (csrf token) in a cookie instead of in meta tags? rubyonrails-talk	1	342	May 5, 2014
Ajax and Rails 2.0 rubyonrails-talk	3	216	February 6, 2008

forms hidden field CSRF token is not updated when turbolinks is enabled

Related topics

More Resources