Closed
Description
Describe the bug
When CSRF is enabled a CSRF token is sent for each issued request including to cross domain sites.
This is a problem when the third party server does not allow this header to be sent (This use case is well described in #1036)
and this potentially may be exploited by an attacker as it can allow a third party site to obtain a token from the main site and therefore forge a CSRF request.
To Reproduce
This can be reproduced easily with a password OAuth flow security scheme and a keycloak server (which by default does not authorize the x-xsrf-token header to be sent because it is not expected). See #1036
Expected behavior
The CSRF header should not be added for cross domain sites