Merge pull request #2191 from ing-bank/changeset-release/master

Version Packages
ing-bank · Feb 29, 2024 · b193d22 · b193d22
2 parents 5a2e01c + fce6328
commit b193d22
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 13 deletions.
diff --git a/.changeset/two-plums-run.md b/.changeset/two-plums-run.md
diff --git a/packages/ajax/CHANGELOG.md b/packages/ajax/CHANGELOG.md
@@ -1,5 +1,18 @@
 # Change Log
 
+## 2.0.0
+
+### Major Changes
+
+- 04d08683: BREAKING: Only add XSRF token on mutable requests and on same origin or whitelisted origins
+
+  Previously the XSRF token was added to any call to any origin.
+  This is changed in two ways.
+  (1) The token is now only attached to requests that are POST/PUT/PATCH/DELETE.
+  (2) It will validate if the request origin is the same as current origin or when the origin is in the xsrfTrustedOrigins.
+
+  This is a fix for a vulnerability: we inadvertently revealed the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host. This allowed attackers to view sensitive information.
+
 ## 1.3.0
 
 ### Minor Changes

diff --git a/packages/ajax/package.json b/packages/ajax/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@lion/ajax",
-  "version": "1.3.0",
+  "version": "2.0.0",
   "description": "Thin wrapper around fetch with support for interceptors.",
   "license": "MIT",
   "author": "ing-bank",