When creating a route that makes use of the nojs functionality of Drupal Ajax (the one that replaces "nojs" with "ajax" in your link when the link has the "use-ajax" class) in combination with the "_csrf_token" requirement on your route, the CSRF validation breaks on ajax requests as the path doesn't match the original rendered path anymore for which the token was generated.
For example:
My original link is:
/flag/flag/bookmark/1/nojs?destination=node/1&token=BKjZye8PPzpXvn_VlslxaXv_XdT1KoD5e-mGeaRmMlk
Drupal changes this path into:
/flag/flag/bookmark/1/ajax?destination=node/1&token=BKjZye8PPzpXvn_VlslxaXv_XdT1KoD5e-mGeaRmMlk
The new URL makes us able to return a proper response if the user has JS disabled (or just opened the link in a new tab).
However, "_csrf_token" bases it's token on the generated path, including all parameters, so when requested Ajax URL get's validated with \Drupal\Core\Access\CsrfAccessCheck, it denies access.
How I'm seeing it there are 2 possible solutions:
Needs work
10.1 β¨
Last updated
It denotes an issue that prevents porting of a contributed project to the stable version of Drupal due to missing APIs, regressions, and so on.
A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.
The major change should have a special release note written to summarize the importance of the change. See Write a release note for an issue.
Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.