Got: XSRF TOKEN support

Can you link to some prior art about this? Like whether it's done and how it's done in other request libraries, like request, superagent, etc.

Should it be enabled by default? Why / why not?

1. The only library I know, that supports it by default is axios.
   It have two options regarding xsrf:
2. xsrfCookieName with default value 'XSRF-TOKEN'
3. xsrfHeaderName with default value 'X-XSRF-TOKEN'

Currently in pre request hook I am reading cookies from cookieJar and if xsrf-token cookie is present then setting x-xsrf-token header.

1. It will be even better to enable it by default (but with option do disable it)

2. Here you have short article of "why" to use xsrf protection https://stormpath.com/blog/angular-xsrf

If you have no time I contribute, it seemt that it is not so complicated.
Just add something like below into pre request function:

import { parse } from 'cookie';

// ...

let xsrfCookieName = 'XSRF-TOKEN'; // default value
let xsrfHeaderName = 'X-XSRF-TOKEN'; // default value

// ...

let cookies = parse( cookieJar.getCookieString( host );
xsrfToken = cookies[xsrfCookieName];

if (xsrfToken) {
  req.headers[xsrfHeaderName] = xsrfToken;
}

IMO this should be a Got plugin. If there were many such small features implemented in Got, the code wouldn't be readable at all. Got aims to follow the spec. There is not spec for XSRF yet - there are too many ways to implement the XSRF thing (e.g. forms).

For now, there is no docs on how to make a Got plugin - it is in the works, and the API might change (#707). We need to wait a little bit more. See the sneak peek.

@szmarczak I also agree with you on both topics

• got should aim to implement IETF-standard RFCs
• XSRF should be added as a plugin

I think using the got hooks, it should be possible to implement most XSRF methods, if not all.