{"url":"https://api.github.com/repos/axios/axios/pulls/6046","id":1579643127,"node_id":"PR_kwDOAWBOZM5eJ3D3","html_url":"https://github.com/axios/axios/pull/6046","diff_url":"https://github.com/axios/axios/pull/6046.diff","patch_url":"https://github.com/axios/axios/pull/6046.patch","issue_url":"https://api.github.com/repos/axios/axios/issues/6046","number":6046,"state":"closed","locked":false,"title":"feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior;","user":{"login":"DigitalBrainJS","id":12586868,"node_id":"MDQ6VXNlcjEyNTg2ODY4","avatar_url":"https://avatars.githubusercontent.com/u/12586868?v=4","gravatar_id":"","url":"https://api.github.com/users/DigitalBrainJS","html_url":"https://github.com/DigitalBrainJS","followers_url":"https://api.github.com/users/DigitalBrainJS/followers","following_url":"https://api.github.com/users/DigitalBrainJS/following{/other_user}","gists_url":"https://api.github.com/users/DigitalBrainJS/gists{/gist_id}","starred_url":"https://api.github.com/users/DigitalBrainJS/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/DigitalBrainJS/subscriptions","organizations_url":"https://api.github.com/users/DigitalBrainJS/orgs","repos_url":"https://api.github.com/users/DigitalBrainJS/repos","events_url":"https://api.github.com/users/DigitalBrainJS/events{/privacy}","received_events_url":"https://api.github.com/users/DigitalBrainJS/received_events","type":"User","user_view_type":"public","site_admin":false},"body":"Since automatic XSRF token sending when the `withCredentials` option is set has become considered a vulnerability, although it could be disabled, the only practical solution is probably to add a separate option to control the sending of the token.\r\nSo now the user must explicitly set `withXSRFToken` to `true` to send XSRF token to third-party origins.\r\nBy default `withXSRFToken` is undefined - the token will be sent only to the same origin.\r\nYou can set it to false to disable setting the header at all. In practice, this is the same as setting `xsrfCookieName` or `xsrfHeaderName` to falsy.\r\nTo migrate from the old withCredential behavior (<v1.6.0), you should now use withXSRFToken along with withCredential.\r\nYou can emulate the old **unsafe** behavior with just one line:\r\n\r\n```js\r\naxios.defaults.withXSRFToken = (config) => !!config.useCredentials;\r\n```\r\n\r\nSee #6028 \r\n\r\n```changelog\r\n📢 This PR added 'withXSRFToken' option as a replacement for old withCredentials behaviour. \r\nYou should now use withXSRFToken along with withCredential to get the old behavior.\r\nThis functionality is considered as a fix.\r\n```","created_at":"2023-10-30T18:37:03Z","updated_at":"2023-11-16T00:24:00Z","closed_at":"2023-11-14T13:38:25Z","merged_at":"2023-11-14T13:38:25Z","merge_commit_sha":"cff996779b272a5e94c2b52f5503ccf668bc42dc","assignees":[],"requested_reviewers":[],"requested_teams":[],"labels":[],"milestone":null,"draft":false,"commits_url":"https://api.github.com/repos/axios/axios/pulls/6046/commits","review_comments_url":"https://api.github.com/repos/axios/axios/pulls/6046/comments","review_comment_url":"https://api.github.com/repos/axios/axios/pulls/comments{/number}","comments_url":"https://api.github.com/repos/axios/axios/issues/6046/comments","statuses_url":"https://api.github.com/repos/axios/axios/statuses/beddb23d0d8361c8ffde278177139ff1d1d54b8e","head":{"label":"DigitalBrainJS:feat/xsrf","ref":"feat/xsrf","sha":"beddb23d0d8361c8ffde278177139ff1d1d54b8e","user":{"login":"DigitalBrainJS","id":12586868,"node_id":"MDQ6VXNlcjEyNTg2ODY4","avatar_url":"https://avatars.githubusercontent.com/u/12586868?v=4","gravatar_id":"","url":"https://api.github.com/users/DigitalBrainJS","html_url":"https://github.com/DigitalBrainJS","followers_url":"https://api.github.com/users/DigitalBrainJS/followers","following_url":"https://api.github.com/users/DigitalBrainJS/following{/other_user}","gists_url":"https://api.github.com/users/DigitalBrainJS/gists{/gist_id}","starred_url":"https://api.github.com/users/DigitalBrainJS/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/DigitalBrainJS/subscriptions","organizations_url":"https://api.github.com/users/DigitalBrainJS/orgs","repos_url":"https://api.github.com/users/DigitalBrainJS/repos","events_url":"https://api.github.com/users/DigitalBrainJS/events{/privacy}","received_events_url":"https://api.github.com/users/DigitalBrainJS/received_events","type":"User","user_view_type":"public","site_admin":false},"repo":{"id":296130286,"node_id":"MDEwOlJlcG9zaXRvcnkyOTYxMzAyODY=","name":"axios","full_name":"DigitalBrainJS/axios","private":false,"owner":{"login":"DigitalBrainJS","id":12586868,"node_id":"MDQ6VXNlcjEyNTg2ODY4","avatar_url":"https://avatars.githubusercontent.com/u/12586868?v=4","gravatar_id":"","url":"https://api.github.com/users/DigitalBrainJS","html_url":"https://github.com/DigitalBrainJS","followers_url":"https://api.github.com/users/DigitalBrainJS/followers","following_url":"https://api.github.com/users/DigitalBrainJS/following{/other_user}","gists_url":"https://api.github.com/users/DigitalBrainJS/gists{/gist_id}","starred_url":"https://api.github.com/users/DigitalBrainJS/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/DigitalBrainJS/subscriptions","organizations_url":"https://api.github.com/users/DigitalBrainJS/orgs","repos_url":"https://api.github.com/users/DigitalBrainJS/repos","events_url":"https://api.github.com/users/DigitalBrainJS/events{/privacy}","received_events_url":"https://api.github.com/users/DigitalBrainJS/received_events","type":"User","user_view_type":"public","site_admin":false},"html_url":"https://github.com/DigitalBrainJS/axios","description":"Promise based HTTP client for the browser and node.js","fork":true,"url":"https://api.github.com/repos/DigitalBrainJS/axios","forks_url":"https://api.github.com/repos/DigitalBrainJS/axios/forks","keys_url":"https://api.github.com/repos/DigitalBrainJS/axios/keys{/key_id}","collaborators_url":"https://api.github.com/repos/DigitalBrainJS/axios/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/DigitalBrainJS/axios/teams","hooks_url":"https://api.github.com/repos/DigitalBrainJS/axios/hooks","issue_events_url":"https://api.github.com/repos/DigitalBrainJS/axios/issues/events{/number}","events_url":"https://api.github.com/repos/DigitalBrainJS/axios/events","assignees_url":"https://api.github.com/repos/DigitalBrainJS/axios/assignees{/user}","branches_url":"https://api.github.com/repos/DigitalBrainJS/axios/branches{/branch}","tags_url":"https://api.github.com/repos/DigitalBrainJS/axios/tags","blobs_url":"https://api.github.com/repos/DigitalBrainJS/axios/git/blobs{/sha}","git_tags_url":"https://api.github.com/repos/DigitalBrainJS/axios/git/tags{/sha}","git_refs_url":"https://api.github.com/repos/DigitalBrainJS/axios/git/refs{/sha}","trees_url":"https://api.github.com/repos/DigitalBrainJS/axios/git/trees{/sha}","statuses_url":"https://api.github.com/repos/DigitalBrainJS/axios/statuses/{sha}","languages_url":"https://api.github.com/repos/DigitalBrainJS/axios/languages","stargazers_url":"https://api.github.com/repos/DigitalBrainJS/axios/stargazers","contributors_url":"https://api.github.com/repos/DigitalBrainJS/axios/contributors","subscribers_url":"https://api.github.com/repos/DigitalBrainJS/axios/subscribers","subscription_url":"https://api.github.com/repos/DigitalBrainJS/axios/subscription","commits_url":"https://api.github.com/repos/DigitalBrainJS/axios/commits{/sha}","git_commits_url":"https://api.github.com/repos/DigitalBrainJS/axios/git/commits{/sha}","comments_url":"https://api.github.com/repos/DigitalBrainJS/axios/comments{/number}","issue_comment_url":"https://api.github.com/repos/DigitalBrainJS/axios/issues/comments{/number}","contents_url":"https://api.github.com/repos/DigitalBrainJS/axios/contents/{+path}","compare_url":"https://api.github.com/repos/DigitalBrainJS/axios/compare/{base}...{head}","merges_url":"https://api.github.com/repos/DigitalBrainJS/axios/merges","archive_url":"https://api.github.com/repos/DigitalBrainJS/axios/{archive_format}{/ref}","downloads_url":"https://api.github.com/repos/DigitalBrainJS/axios/downloads","issues_url":"https://api.github.com/repos/DigitalBrainJS/axios/issues{/number}","pulls_url":"https://api.github.com/repos/DigitalBrainJS/axios/pulls{/number}","milestones_url":"https://api.github.com/repos/DigitalBrainJS/axios/milestones{/number}","notifications_url":"https://api.github.com/repos/DigitalBrainJS/axios/notifications{?since,all,participating}","labels_url":"https://api.github.com/repos/DigitalBrainJS/axios/labels{/name}","releases_url":"https://api.github.com/repos/DigitalBrainJS/axios/releases{/id}","deployments_url":"https://api.github.com/repos/DigitalBrainJS/axios/deployments","created_at":"2020-09-16T19:36:37Z","updated_at":"2026-04-12T23:07:18Z","pushed_at":"2026-04-21T22:17:44Z","git_url":"git://github.com/DigitalBrainJS/axios.git","ssh_url":"git@github.com:DigitalBrainJS/axios.git","clone_url":"https://github.com/DigitalBrainJS/axios.git","svn_url":"https://github.com/DigitalBrainJS/axios","homepage":"","size":26935,"stargazers_count":2,"watchers_count":2,"language":"JavaScript","has_issues":true,"has_projects":true,"has_downloads":true,"has_wiki":false,"has_pages":false,"has_discussions":false,"forks_count":0,"mirror_url":null,"archived":false,"disabled":false,"open_issues_count":2,"license":{"key":"mit","name":"MIT License","spdx_id":"MIT","url":"https://api.github.com/licenses/mit","node_id":"MDc6TGljZW5zZTEz"},"allow_forking":true,"is_template":false,"web_commit_signoff_required":false,"has_pull_requests":true,"pull_request_creation_policy":"all","topics":[],"visibility":"public","forks":0,"open_issues":2,"watchers":2,"default_branch":"master"}},"base":{"label":"axios:v1.x","ref":"v1.x","sha":"7009715369a50740ba2ce00534012c1caf269ad2","user":{"login":"axios","id":32372333,"node_id":"MDEyOk9yZ2FuaXphdGlvbjMyMzcyMzMz","avatar_url":"https://avatars.githubusercontent.com/u/32372333?v=4","gravatar_id":"","url":"https://api.github.com/users/axios","html_url":"https://github.com/axios","followers_url":"https://api.github.com/users/axios/followers","following_url":"https://api.github.com/users/axios/following{/other_user}","gists_url":"https://api.github.com/users/axios/gists{/gist_id}","starred_url":"https://api.github.com/users/axios/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/axios/subscriptions","organizations_url":"https://api.github.com/users/axios/orgs","repos_url":"https://api.github.com/users/axios/repos","events_url":"https://api.github.com/users/axios/events{/privacy}","received_events_url":"https://api.github.com/users/axios/received_events","type":"Organization","user_view_type":"public","site_admin":false},"repo":{"id":23088740,"node_id":"MDEwOlJlcG9zaXRvcnkyMzA4ODc0MA==","name":"axios","full_name":"axios/axios","private":false,"owner":{"login":"axios","id":32372333,"node_id":"MDEyOk9yZ2FuaXphdGlvbjMyMzcyMzMz","avatar_url":"https://avatars.githubusercontent.com/u/32372333?v=4","gravatar_id":"","url":"https://api.github.com/users/axios","html_url":"https://github.com/axios","followers_url":"https://api.github.com/users/axios/followers","following_url":"https://api.github.com/users/axios/following{/other_user}","gists_url":"https://api.github.com/users/axios/gists{/gist_id}","starred_url":"https://api.github.com/users/axios/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/axios/subscriptions","organizations_url":"https://api.github.com/users/axios/orgs","repos_url":"https://api.github.com/users/axios/repos","events_url":"https://api.github.com/users/axios/events{/privacy}","received_events_url":"https://api.github.com/users/axios/received_events","type":"Organization","user_view_type":"public","site_admin":false},"html_url":"https://github.com/axios/axios","description":"Promise based HTTP client for the browser and node.js","fork":false,"url":"https://api.github.com/repos/axios/axios","forks_url":"https://api.github.com/repos/axios/axios/forks","keys_url":"https://api.github.com/repos/axios/axios/keys{/key_id}","collaborators_url":"https://api.github.com/repos/axios/axios/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/axios/axios/teams","hooks_url":"https://api.github.com/repos/axios/axios/hooks","issue_events_url":"https://api.github.com/repos/axios/axios/issues/events{/number}","events_url":"https://api.github.com/repos/axios/axios/events","assignees_url":"https://api.github.com/repos/axios/axios/assignees{/user}","branches_url":"https://api.github.com/repos/axios/axios/branches{/branch}","tags_url":"https://api.github.com/repos/axios/axios/tags","blobs_url":"https://api.github.com/repos/axios/axios/git/blobs{/sha}","git_tags_url":"https://api.github.com/repos/axios/axios/git/tags{/sha}","git_refs_url":"https://api.github.com/repos/axios/axios/git/refs{/sha}","trees_url":"https://api.github.com/repos/axios/axios/git/trees{/sha}","statuses_url":"https://api.github.com/repos/axios/axios/statuses/{sha}","languages_url":"https://api.github.com/repos/axios/axios/languages","stargazers_url":"https://api.github.com/repos/axios/axios/stargazers","contributors_url":"https://api.github.com/repos/axios/axios/contributors","subscribers_url":"https://api.github.com/repos/axios/axios/subscribers","subscription_url":"https://api.github.com/repos/axios/axios/subscription","commits_url":"https://api.github.com/repos/axios/axios/commits{/sha}","git_commits_url":"https://api.github.com/repos/axios/axios/git/commits{/sha}","comments_url":"https://api.github.com/repos/axios/axios/comments{/number}","issue_comment_url":"https://api.github.com/repos/axios/axios/issues/comments{/number}","contents_url":"https://api.github.com/repos/axios/axios/contents/{+path}","compare_url":"https://api.github.com/repos/axios/axios/compare/{base}...{head}","merges_url":"https://api.github.com/repos/axios/axios/merges","archive_url":"https://api.github.com/repos/axios/axios/{archive_format}{/ref}","downloads_url":"https://api.github.com/repos/axios/axios/downloads","issues_url":"https://api.github.com/repos/axios/axios/issues{/number}","pulls_url":"https://api.github.com/repos/axios/axios/pulls{/number}","milestones_url":"https://api.github.com/repos/axios/axios/milestones{/number}","notifications_url":"https://api.github.com/repos/axios/axios/notifications{?since,all,participating}","labels_url":"https://api.github.com/repos/axios/axios/labels{/name}","releases_url":"https://api.github.com/repos/axios/axios/releases{/id}","deployments_url":"https://api.github.com/repos/axios/axios/deployments","created_at":"2014-08-18T22:30:27Z","updated_at":"2026-05-01T21:35:31Z","pushed_at":"2026-05-01T18:28:05Z","git_url":"git://github.com/axios/axios.git","ssh_url":"git@github.com:axios/axios.git","clone_url":"https://github.com/axios/axios.git","svn_url":"https://github.com/axios/axios","homepage":"https://axios-http.com","size":26588,"stargazers_count":109041,"watchers_count":109041,"language":"JavaScript","has_issues":true,"has_projects":false,"has_downloads":true,"has_wiki":false,"has_pages":false,"has_discussions":true,"forks_count":11661,"mirror_url":null,"archived":false,"disabled":false,"open_issues_count":166,"license":{"key":"mit","name":"MIT License","spdx_id":"MIT","url":"https://api.github.com/licenses/mit","node_id":"MDc6TGljZW5zZTEz"},"allow_forking":true,"is_template":false,"web_commit_signoff_required":false,"has_pull_requests":true,"pull_request_creation_policy":"all","topics":["hacktoberfest","http-client","javascript","nodejs","promise"],"visibility":"public","forks":11661,"open_issues":166,"watchers":109041,"default_branch":"v1.x"}},"_links":{"self":{"href":"https://api.github.com/repos/axios/axios/pulls/6046"},"html":{"href":"https://github.com/axios/axios/pull/6046"},"issue":{"href":"https://api.github.com/repos/axios/axios/issues/6046"},"comments":{"href":"https://api.github.com/repos/axios/axios/issues/6046/comments"},"review_comments":{"href":"https://api.github.com/repos/axios/axios/pulls/6046/comments"},"review_comment":{"href":"https://api.github.com/repos/axios/axios/pulls/comments{/number}"},"commits":{"href":"https://api.github.com/repos/axios/axios/pulls/6046/commits"},"statuses":{"href":"https://api.github.com/repos/axios/axios/statuses/beddb23d0d8361c8ffde278177139ff1d1d54b8e"}},"author_association":"COLLABORATOR","auto_merge":null,"assignee":null,"active_lock_reason":null,"merged":true,"mergeable":null,"rebaseable":null,"mergeable_state":"unknown","merged_by":{"login":"DigitalBrainJS","id":12586868,"node_id":"MDQ6VXNlcjEyNTg2ODY4","avatar_url":"https://avatars.githubusercontent.com/u/12586868?v=4","gravatar_id":"","url":"https://api.github.com/users/DigitalBrainJS","html_url":"https://github.com/DigitalBrainJS","followers_url":"https://api.github.com/users/DigitalBrainJS/followers","following_url":"https://api.github.com/users/DigitalBrainJS/following{/other_user}","gists_url":"https://api.github.com/users/DigitalBrainJS/gists{/gist_id}","starred_url":"https://api.github.com/users/DigitalBrainJS/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/DigitalBrainJS/subscriptions","organizations_url":"https://api.github.com/users/DigitalBrainJS/orgs","repos_url":"https://api.github.com/users/DigitalBrainJS/repos","events_url":"https://api.github.com/users/DigitalBrainJS/events{/privacy}","received_events_url":"https://api.github.com/users/DigitalBrainJS/received_events","type":"User","user_view_type":"public","site_admin":false},"comments":9,"review_comments":0,"maintainer_can_modify":false,"commits":36,"additions":118,"deletions":55,"changed_files":8}