Configures strings used in the optional server protocol.
The name of the HTTP header that will include the CSRF token for AJAX requests.
The name
of the hidden <input>
used for sending a
CSRF token when
submitting a default, non-AJAX form. For AJAX request the token is sent as an
[HTTP header](/up.protocol.config#config.csrfHeader instead.
The parameter name can be configured as a string or as function that returns the parameter name. If no name is set, no token will be sent.
Defaults to the content
attribute of a <meta>
tag named csrf-param
:
<meta name="csrf-param" content="authenticity_token">
The CSRF token
to send for unsafe requests. The token will be sent as either a HTTP header (for AJAX requests)
or hidden form <input>
(for default, non-AJAX form submissions).
The token can either be configured as a string or as function that returns the token. If no token is set, no token will be sent.
Defaults to the content
attribute of a <meta>
tag named csrf-token
:
<meta name='csrf-token' content='secret12345'>
A CSP script nonce for the initial page that booted Unpoly.
The nonce let Unpoly run JavaScript in HTML attributes like
[up-on-loaded]
or [up-on-accepted]
.
See Working with a strict Content Security Policy.
The nonce can either be configured as a string or as function that returns the nonce.
Defaults to the content
attribute of a <meta>
tag named csp-nonce
:
<meta name='csrf-token' content='secret98765'>
The name of request parameter containing the original request method when Unpoly needs to wrap the method.
Methods must be wrapped when making a full page request with a methods other
than GET or POST. In this case Unpoly will make a POST request with the original request method
in a form parameter named _method
:
POST /test HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
_method=PUT
The preferred maximum length of an X-Up
-prefixed header's value.
This is currently only honored for X-Up-Validate
.