feat(security): Automatic XSRF handling.

Automatically recognize XSRF protection cookies, and set a corresponding XSRF header. Allows applications to configure the cookie names, or if needed, completely override the XSRF request configuration by binding their own XSRFHandler implementation. Part of #8511.
2016-05-27 20:15:40 -07:00
parent 3ae29c08ac
commit 4d793c4eb8
10 changed files with 195 additions and 22 deletions
--- a/modules/@angular/platform-browser/src/browser/browser_adapter.ts
+++ b/modules/@angular/platform-browser/src/browser/browser_adapter.ts
@ -350,6 +350,18 @@ export class BrowserDomAdapter extends GenericBrowserDomAdapter {
      return DateWrapper.toMillis(DateWrapper.now());
    }
  }
+
+  supportsCookies(): boolean { return true; }
+
+  getCookie(name: string): string {
+    return parseCookieValue(document.cookie, name);
+  }
+
+  setCookie(name: string, value: string) {
+    // document.cookie is magical, assigning into it assigns/overrides one cookie value, but does
+    // not clear other cookies.
+    document.cookie = encodeURIComponent(name) + '=' + encodeURIComponent(value);
+  }
 }


@ -374,3 +386,15 @@ function relativePath(url): string {
  return (urlParsingNode.pathname.charAt(0) === '/') ? urlParsingNode.pathname :
                                                       '/' + urlParsingNode.pathname;
 }
+
+export function parseCookieValue(cookie: string, name: string): string {
+  name = encodeURIComponent(name);
+  let cookies = cookie.split(';');
+  for (let cookie of cookies) {
+    let [key, value] = cookie.split('=', 2);
+    if (key.trim() === name) {
+      return decodeURIComponent(value);
+    }
+  }
+  return null;
+}
--- a/modules/@angular/platform-browser/src/dom/dom_adapter.ts
+++ b/modules/@angular/platform-browser/src/dom/dom_adapter.ts
@ -152,4 +152,8 @@ export abstract class DomAdapter {
  abstract getAnimationPrefix(): string;
  abstract getTransitionEnd(): string;
  abstract supportsAnimation(): boolean;
+
+  abstract supportsCookies(): boolean;
+  abstract getCookie(name: string): string;
+  abstract setCookie(name: string, value: string);
 }
--- a/modules/@angular/platform-browser/src/web_workers/worker/worker_adapter.ts
+++ b/modules/@angular/platform-browser/src/web_workers/worker/worker_adapter.ts
@ -153,4 +153,8 @@ export class WorkerDomAdapter extends DomAdapter {
  getTransitionEnd(): string { throw "not implemented"; }
  supportsAnimation(): boolean { throw "not implemented"; }
  supportsWebAnimation(): boolean { throw "not implemented"; }
+
+  supportsCookies(): boolean { return false; }
+  getCookie(name: string): string { throw "not implemented"; }
+  setCookie(name: string, value: string) { throw "not implemented"; }
 }