By tedbow on
Change record status: 
Published (View all published change records)
Project: 
Drupal core
Introduced in branch: 
8.2.x
Introduced in version: 
8.2.0-beta1
Issue links: 
https://www.drupal.org/node/2753681
https://www.drupal.org/node/3111506
https://www.drupal.org/node/3115308
Description: 

The method of protecting routes provided by the REST module by using the "_access_rest_csrf" requirement on the route has been deprecated in favor of the new route requirement "_csrf_request_header_token". This new requirement is provided by the System module so it is not necessary to install the REST module to use this protection on a route.

The new _csrf_request_header_token protection acts identically to _access_rest_csrf for clients. To retrieve the current session's CSRF token use the a GET request to /session/token. To provide the token for a protected route specify the HTTP header "X-CSRF-Token request header". The route protection will only apply to HTTP write operation requests. It will not apply to 'GET', 'HEAD', 'OPTIONS', or 'TRACE' requests.

This should not be confused with the route requirement _csrf_token which expects requests to have the token in a query string parameter "token".

Deprecated support of _access_rest_csrf will be removed in 10.0.0.

Impacts: 
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done

Comments

BlondeSwan’s picture

BlondeSwan commented

I'm using the `_csrf_request_header_token` requirement in my custom route, but it isn't getting checked...