I have a search view which collects a search term from a user and then
passes them to the search result view. The results view is constructed
in
two parts:
- basic server side rendering which builds the overall structure of the
page and includes a search form - ActionCable delivers rendered search results after the longish
running
search has completed, these views also contain a form
The form from bullet 1 works as expected. The form(s) from bullet 2
fail
CSRF checks.
My understanding is that CSRF tokens are added to the session when the
page
is rendered. As such, the first form works as it has reference to the
session. The forms generated in bullet 2 are done so by ActiveJob and
then
the rendered view is delivered to the browser via ActionCable. I
believe
that there is no session mapping here.
Can anyone suggest a good approach to correctly allowing form submission
with CSRF prevention in place on a form delivered asynchronously from an
ActiveJob via ActionCable?
I know I can get the browser to re-write the async tokens with
javascript
but that feels like quite a hack.
Thanks,
Dave