In PlUploadFile::preRenderPlUploadFile(), the plupload url token is generated using the path "plupload-handle-uploads". This assumes the route has no been altered to another path.

D8 core already calculates the token when "_csrf" is set on the route.
See https://www.drupal.org/docs/8/api/routing-system/access-checking-on-rout...

CommentFileSizeAuthor
#2 plupload-let-drupal-create-token-2832225-2.patch652 bytesrecrit
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

recrit created an issue. See original summary.

recrit’s picture

recrit CreditAttribution: recrit commented
Status: Active » Needs review
FileSize
plupload-let-drupal-create-token-2832225-2.patch652 bytes

The patch attached removes the custom query parameter for the token to allow Drupal to auto generate it.

recrit’s picture

recrit CreditAttribution: recrit commented
Related issues: +#2730351: CSRF check always fails for users without a session
budalokko’s picture

budalokko CreditAttribution: budalokko commented
Status: Needs review » Postponed

Actually the patch didn't work for me in a Drupal 8.2 clean install.

Instead of the CSRF token, a placehold is added that will be replaced at render time. But we don't render that URL on an HTML page just add it to Javascript settings array so it will never be replaced.

Its the same problem as stated in #2793109: [PP-1] _csrf_token in route breaks custom #ajax url so I think its better we generate the CSRF token on our own until core finds a solution for this situation.

budalokko’s picture

budalokko CreditAttribution: budalokko commented
Related issues: +#2793109: [PP-1] _csrf_token in route breaks custom #ajax url
budalokko’s picture

budalokko CreditAttribution: budalokko commented
Version: 8.x-1.x-dev » 2.1.x-dev
Status: Postponed » Needs work