From 036294d56607b217e70fc971fe179699b62caddd Mon Sep 17 00:00:00 2001 From: Schlemmer Date: Tue, 11 Jun 2019 09:43:06 +0200 Subject: [PATCH] docs: change interceptor documentation (#30969) PR Close #30969 --- aio/content/guide/http.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aio/content/guide/http.md b/aio/content/guide/http.md index 9024405b16..06ce0ae6e9 100644 --- a/aio/content/guide/http.md +++ b/aio/content/guide/http.md @@ -900,7 +900,7 @@ by returning an observable of simulated events. [Cross-Site Request Forgery (XSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery) is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website. `HttpClient` supports a [common mechanism](https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token) used to prevent XSRF attacks. When performing HTTP requests, an interceptor reads a token from a cookie, by default `XSRF-TOKEN`, and sets it as an HTTP header, `X-XSRF-TOKEN`. Since only code that runs on your domain could read the cookie, the backend can be certain that the HTTP request came from your client application and not an attacker. -By default, an interceptor sends this cookie on all mutating requests (POST, etc.) +By default, an interceptor sends this header on all mutating requests (POST, etc.) to relative URLs but not on GET/HEAD requests or on requests with an absolute URL.