From 13aa520d6321130ea1e3ac02cd70dccf31a9192d Mon Sep 17 00:00:00 2001 From: Leonardo Mendoza Date: Fri, 20 Mar 2026 08:08:59 -0600 Subject: [PATCH 1/2] PD-0000 --- src/app/core/xsrf/xsrf-fallback.interceptor.ts | 7 ------- 1 file changed, 7 deletions(-) diff --git a/src/app/core/xsrf/xsrf-fallback.interceptor.ts b/src/app/core/xsrf/xsrf-fallback.interceptor.ts index 27c0bf46a6..0015e92fcd 100644 --- a/src/app/core/xsrf/xsrf-fallback.interceptor.ts +++ b/src/app/core/xsrf/xsrf-fallback.interceptor.ts @@ -17,8 +17,6 @@ declare const runtimeEnvironment: any * support (configured via withXsrfConfiguration) does not attach the header, * especially when using the local proxy setup. * - * Only active when not in production (local development runs). - * * Behaviour: * - For mutating backend calls (POST/PUT/PATCH/DELETE) to ORCID web APIs: * - If an XSRF header is already present, do nothing. @@ -34,11 +32,6 @@ export class XsrfFallbackInterceptor implements HttpInterceptor { req: HttpRequest, next: HttpHandler ): Observable> { - // Only apply fallback in local development (e.g. proxy / same-origin dev) - if (runtimeEnvironment.production) { - return next.handle(req) - } - const method = (req.method ?? '').toUpperCase() // Only care about mutating requests From 35dc2661110f22f27aff8342105babf50d6b132e Mon Sep 17 00:00:00 2001 From: Leonardo Mendoza Date: Fri, 20 Mar 2026 08:13:48 -0600 Subject: [PATCH 2/2] PD-0000 --- src/app/core/xsrf/xsrf-fallback.interceptor.spec.ts | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/src/app/core/xsrf/xsrf-fallback.interceptor.spec.ts b/src/app/core/xsrf/xsrf-fallback.interceptor.spec.ts index 2bc81025ac..2c81b8ba53 100644 --- a/src/app/core/xsrf/xsrf-fallback.interceptor.spec.ts +++ b/src/app/core/xsrf/xsrf-fallback.interceptor.spec.ts @@ -45,18 +45,6 @@ describe('XsrfFallbackInterceptor', () => { httpMock.verify() }) - it('passes through without adding header when production is true', () => { - const env = (window as any).runtimeEnvironment - env.production = true - cookieGetSpy.and.returnValue('xsrf-token-123') - - http.post(apiBase + 'works/work.json', {}).subscribe() - - const req = httpMock.expectOne(apiBase + 'works/work.json') - expect(req.request.headers.has('x-xsrf-token')).toBe(false) - req.flush({}) - env.production = false - }) it('passes through GET requests without adding header', () => { http.get(apiBase + 'works/works.json').subscribe()