Opened 10 years ago

Closed 10 years ago

#15139 closed feature (invalid)

Need ability to pass payload with loader

Reported by: davidmarginian Owned by: davidmarginian
Priority: undecided Milestone: tbd
Component: Core Version: 1.7.2
Keywords: Cc:
Blocked By: Blocking:


For security purposes (CSRF protection), I am required to pass a token with all requests to the server. Even though Dojo and custom JavaScript? files are static and not really susceptible to CSRF the application I am working on is subject to security scans that require a token to be passed. The current loader does not allow for extra payload data to be passed.

packages: [

{ name: 'module1', location: path, main:'main'}


require(["module1", "dijit/layout/BorderContainer", etc.], function(module1) {



Dojo does the work of normalizing and resolving the dependencies and appends a ".js" to the files so that script tags may be generated and the files included. However, Dojo does not allow us to pass extra payload data (CSRF token, etc.).

Looking at the Dojo source I have come up with a nasty hack to workaround this so that I am able to use Dojo in my application.

I have added an extra attribute to my dojoConfig called payload:

var dojoConfig = (function(){

return {

async: true, isDebug: true, parseOnLoad: true, payload: '<csrf:token-name/>=<csrf:token-value/>'



I have then modified: req.injectUrl = function(url, callback, owner){

... node.src = url + "?" + dojo.config.payload;


the script tags src attribute to pass the payload from dojo.config in the querystring. This is not a very elegant solution and I am sure you guys will have something much better with your deep knowledge of the Dojo core. I can implement this and provide a patch if you provide some thoughts regarding a more robust solution.

Change History (4)

comment:1 Changed 10 years ago by ben hockey

Owner: set to davidmarginian
Status: newpending

have you tried dojoConfig.cacheBust for this

var dojoConfig = {
    async: true,
    cacheBust: '<csrf:token-name/>=<csrf:token-value/>'
    // ...

comment:2 Changed 10 years ago by davidmarginian

Status: pendingnew

Thank you. I will give this a try and report back.

comment:3 Changed 10 years ago by davidmarginian

cacheBust fixed it. Thanks a lot. I should have tried as the dojoConfig tutorial mentioned it:

cacheBust: If true, appends the time as a querystring to each module URL to avoid module caching:

comment:4 Changed 10 years ago by ben hockey

Resolution: invalid
Status: newclosed
Note: See TracTickets for help on using tickets.